CRIME SQLSlammer Worm & IDSs

From: Andrew Plato (aplato@private)
Date: Tue Jan 28 2003 - 14:49:21 PST

  • Next message: Seth Arnold: "Re: CRIME SQLSlammer Worm & IDSs"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    I am curious what people were seeing with SQL Slammer and their IDSs.
    I've been collecting anecdotal evidence that Slammer flew right past
    a lot of IDSs. 
    
    I know that Snort and BlackICE just reported UDP port probes. Snort
    got a sig early Saturday morning however. RealSecure sensors had a
    signature in September that seemed to worked. 
    
    I am curious what anybody running Cisco's IDS, Symantec Manhunt,
    Enterasys Dragon, NFR, Intruvert, or any other IDS saw. Was it
    identified as a worm or just a port probe? 
    
    What has me concerned is that the smallness of this worm made it look
    like nothing more than a UDP probe. As such, a lot of IDSs didn't
    consider this a very important event, since a UDP port probe is a
    pretty common event on any network.
    
    ___________________________________
    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Corporation
     
    503-644-5656 Office
    503-644-8574 Fax
    503-201-0821 Mobile
    www.anitian.com 
    ___________________________________
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13
    
    iD8DBQE+NwjfRFTPAXEeGWkRAoYjAJ9YQ4Y5zrWtbukdw1sAp2bhyFkoIACfZkdl
    ev2MhAeNBwJaoTEXZDG+/mk==cGis
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 15:37:32 PST