Andrew Plato wrote:
> I am curious what people were seeing with SQL Slammer and their IDSs.
> I've been collecting anecdotal evidence that Slammer flew right past
> a lot of IDSs.
>
> I know that Snort and BlackICE just reported UDP port probes. Snort
> got a sig early Saturday morning however. RealSecure sensors had a
> signature in September that seemed to worked.
>
> I am curious what anybody running Cisco's IDS, Symantec Manhunt,
> Enterasys Dragon, NFR, Intruvert, or any other IDS saw. Was it
> identified as a worm or just a port probe?
The NFRs we run reported the probe/attack as the following,
Severity: Attack
Time: 21:27:51 24-Jan-2003
Source File: packages/mssql/sql2k.nfr
Line: 29
Alert ID: mssql_sql2k:sqlserv_stackoverflow_alert
Source ID: mssql_sql2k:source_me
Source: mssql_sql2k:source_me
Source Description: Sqlserver 2k overflow detector
Source PID: 32152
Alert Message: Sql server stack overflow detected:
216.65.99.XXX:1482 to 216.65.220.XXX:1434!
Source IP: 216.65.99.XXX
Destination IP: 216.65.220.XXX
The alert itself was not as interesting as the 17,098 others we got in
the next 35 mins! :)
Then on Saturday at 2:45pm PST, the NFR Rapid Response Team released an
update to their SQL package which seperately identified the worm from
the buffer overflow it detected the worm as..
--
Scott C. Kennedy
Lead Security Architect/ Director of Security
Infosys Corporation
Work: (877) 772-2347
PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE27C1102
This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 11:31:49 PST