Andrew - Prior even to the initial propagation of the worm, NFR NID detected exploitation of the underlying vulnerability and identified it as a "SQL Server stack overflow." Several major NFR customers sent us emails complimenting us on our foresight, as their NFR NID appliances have enabled them to detect this attack since August, 2002. Still, our Rapid Response Team responded the day of the outbreak, releasing an updated version of the package that indentified the worm by its new name and included some tuning variables to help reduce the number of alerts generated by the incoming onslaught from other, more vulnerable sites. From my perspective, this was remarkably reminiscent of the Nimda epidemic, and it is another testament to the value of advanced hybrid intrusion detection solutions. -MAB -- Michael A Barkett VP, Systems Engineering NFR Security, Inc. 5 Choke Cherry Road, Rockville, MD 20850 Phone: 240.747.3478 Fax: 240.632.0202 ----- Original Message ----- From: "Andrew Plato" <aplato@private> To: <crime@private>; <focus-ids@private> Sent: Tuesday, January 28, 2003 5:49 PM Subject: SQLSlammer Worm & IDSs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am curious what people were seeing with SQL Slammer and their IDSs. I've been collecting anecdotal evidence that Slammer flew right past a lot of IDSs. I know that Snort and BlackICE just reported UDP port probes. Snort got a sig early Saturday morning however. RealSecure sensors had a signature in September that seemed to worked. I am curious what anybody running Cisco's IDS, Symantec Manhunt, Enterasys Dragon, NFR, Intruvert, or any other IDS saw. Was it identified as a worm or just a port probe? What has me concerned is that the smallness of this worm made it look like nothing more than a UDP probe. As such, a lot of IDSs didn't consider this a very important event, since a UDP port probe is a pretty common event on any network. ___________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13 iD8DBQE+NwjfRFTPAXEeGWkRAoYjAJ9YQ4Y5zrWtbukdw1sAp2bhyFkoIACfZkdl ev2MhAeNBwJaoTEXZDG+/mk==cGis -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 15:48:24 PST