Re: SQL Slammer Variant?

Aaron,

If you're pretty sure that the traffic is originating internally and is spoofed, here are a couple of things you could do:

• If you have internal routers, add source address spoofing filters to each of their interfaces. You could turn on logging for matches based on that rule and at least narrow down which of your networks this is coming from. This is a good thing to have in any event. People on your internal network shouldn't be sending spoofed packets.
• If you don't have internal routers and you've got just one big switched network, then the source MAC address of the spoofed packets should hopefully be in the packet captures of your IDS logs. Use this information in combination with your switch management tools to figure out where the traffic is coming from.

HTH,

-- 
crucible 
---------------------------------------------------------------------------
Excellent. The weather machine is nearly completed. What do you say to
that broccoli? Stop mocking me! -- Stewie from Family Guy


Wilson, Aaron J. wrote:

> I am witnessing SQL Slammer IDS events on an internal sensor that aren't




----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents