ISS RealSecure reports it as "SQL_SSRP_StackBo". There's also a signature
(not triggered by this worm) for the related heap overflow
(SQL_SSRP_HeapBo). And yes, the worm definitely triggers this in
abundance.
"Andrew Plato" <aplato@private>
01/28/2003 04:49 PM
To: crime@private, focus-ids@private
cc:
Subject: SQLSlammer Worm & IDSs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am curious what people were seeing with SQL Slammer and their IDSs.
I've been collecting anecdotal evidence that Slammer flew right past
a lot of IDSs.
I know that Snort and BlackICE just reported UDP port probes. Snort
got a sig early Saturday morning however. RealSecure sensors had a
signature in September that seemed to worked.
I am curious what anybody running Cisco's IDS, Symantec Manhunt,
Enterasys Dragon, NFR, Intruvert, or any other IDS saw. Was it
identified as a worm or just a port probe?
What has me concerned is that the smallness of this worm made it look
like nothing more than a UDP probe. As such, a lot of IDSs didn't
consider this a very important event, since a UDP port probe is a
pretty common event on any network.
___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation
503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13
iD8DBQE+NwjfRFTPAXEeGWkRAoYjAJ9YQ4Y5zrWtbukdw1sAp2bhyFkoIACfZkdl
ev2MhAeNBwJaoTEXZDG+/mk==cGis
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 11:27:26 PST