-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Security Notification
Configuration to allow BlackICE to Respond to SQL Slammer (AKA:
Sapphire) worm
Many BlackICE users have contacted me regarding the recent SQL
Slammer worm and its effects. Currently, BlackICE is only reporting
SQL Slammer as a UDP port probe. This is due to the extremely small
size of the Slammer worm. It is contained within a single UDP
datagram.
Anitian has devised a configuration fix that will allow BlackICE
agents (Sentry, Guard, Server, and Workstation) detect and respond to
the recent SQL Slammer worm. This configuration will cause the
BlackICE software to identify UDP probes on port 1434 as a "Code Red
II+" and then blocks the IP address of the attacking system
automatically.
Obviously SQL Slammer is not a Code Red attack, but I choose this
signature because this it initiates an immediate firewall block from
the offending IP address. This doesn't mean your system will be
completely safe, but it will prevent additional compromise and block
the attacker for an hour. It is still necessary (and recommended)
that anybody with SQL Server machines apply the appropriate patches
from Microsoft and filter access to UDP port 1434 at your border
firewalls.
NOTE: This configuration is not endorsed by Internet Security
Systems. Also, this fix is only applicable for BlackICE or RealSecure
Desktop Protector products. This is not applicable for RealSecure
network or server sensor products.
- - - From BlackICE Local Console
1. Stop the BlackICE service.
2. Locate the sigs.ini file in the directory where BlackICE is
installed.
3. Right-click on this file and uncheck the read-only option. 4. Open
this file in Notepad, or other such text editor. 5. Insert the
following line
udpprobe.2004603.1434=SQLSlammer
6. Save the file.
7. Once saved, return the file to read-only.
- - - From ICEcap
You will need to repeat these steps for every IDS configuration where
you wish to deploy this signature modification.
1. Logon to ICEcap.
2. Go to the IDS Configuration Policy Element and click on Edit for
the IDS configuration where you wish to make this change. 3. Click on
Custom.
4. Click Add Parameter.
5. In the NAME box enter: udpprobe.2004603.1434
6. In the VALUE box enter: SQLSlammer
7. Enter anything you want in the Comments box.
8. Click Save Settings
If you wish to use a different signature, one that will not initiate
a firewall block, you might consider Worm Extensions (signature ID:
2002209). Replace this signature ID with the 2004603 in the above
examples.
If you are filtering UDP port 1434 at your border firewall or you
have BlackICE in Paranoid mode, you should remain unaffected by this
worm. In paranoid mode, BlackICE blocks all upper UDP ports by
default.
If you have any questions or comments, please contact me.
___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation
503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13
iD8DBQE+OEDZRFTPAXEeGWkRAsWqAKCdespWZZGpTnpY0zsYc/qtNHcHJgCfRxTb
pFpMEgug9JKuRjCYwSPbybw==T9xI
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 13:20:25 PST