CRIME Re: SQLSlammer Worm & IDSs

From: Mike Barkett (mbarkett@private)
Date: Wed Jan 29 2003 - 15:31:54 PST

  • Next message: Brent Irwin: "CRIME FW: URGENT BUSINESS PROPOSAL"

    Andrew -
    
    Prior even to the initial propagation of the worm, NFR NID detected
    exploitation of the underlying vulnerability and identified it as a "SQL
    Server stack overflow."  Several major NFR customers sent us emails
    complimenting us on our foresight, as their NFR NID appliances have enabled
    them to detect this attack since August, 2002.  Still, our Rapid Response
    Team responded the day of the outbreak, releasing an updated version of the
    package that indentified the worm by its new name and included some tuning
    variables to help reduce the number of alerts generated by the incoming
    onslaught from other, more vulnerable sites.  From my perspective, this was
    remarkably reminiscent of the Nimda epidemic, and it is another testament to
    the value of advanced hybrid intrusion detection solutions.
    
    -MAB
    
    --
    Michael A Barkett
    VP, Systems Engineering
    NFR Security, Inc.
    5 Choke Cherry Road, Rockville, MD 20850
    Phone: 240.747.3478  Fax: 240.632.0202
    
    ----- Original Message -----
    From: "Andrew Plato" <aplato@private>
    To: <crime@private>; <focus-ids@private>
    Sent: Tuesday, January 28, 2003 5:49 PM
    Subject: SQLSlammer Worm & IDSs
    
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    I am curious what people were seeing with SQL Slammer and their IDSs.
    I've been collecting anecdotal evidence that Slammer flew right past
    a lot of IDSs.
    
    I know that Snort and BlackICE just reported UDP port probes. Snort
    got a sig early Saturday morning however. RealSecure sensors had a
    signature in September that seemed to worked.
    
    I am curious what anybody running Cisco's IDS, Symantec Manhunt,
    Enterasys Dragon, NFR, Intruvert, or any other IDS saw. Was it
    identified as a worm or just a port probe?
    
    What has me concerned is that the smallness of this worm made it look
    like nothing more than a UDP probe. As such, a lot of IDSs didn't
    consider this a very important event, since a UDP port probe is a
    pretty common event on any network.
    
    ___________________________________
    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Corporation
    
    503-644-5656 Office
    503-644-8574 Fax
    503-201-0821 Mobile
    www.anitian.com
    ___________________________________
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13
    
    iD8DBQE+NwjfRFTPAXEeGWkRAoYjAJ9YQ4Y5zrWtbukdw1sAp2bhyFkoIACfZkdl
    ev2MhAeNBwJaoTEXZDG+/mk==cGis
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 15:48:24 PST