CRIME Re: SQLSlammer Worm & IDSs

From: Talisker (talisker@private)
Date: Wed Jan 29 2003 - 13:30:55 PST

  • Next message: Mike Barkett: "CRIME Re: SQLSlammer Worm & IDSs"

    Andrew
    Theorizing and without playing with SQL and a protocol Analyser I'd suggest
    that it would be difficult to have pre-empted the Slammer with a simple
    grepping signature, furthermore the original vulnerability has three issues.
    2 Buffer Overflows and a DOS on the SQL resolution service.  There are some
    signatures that will trigger on expected padding within a buffer overflow,
    but in 376 bytes there's not a great deal.  So would that be 3 grepping
    signatures for a single vulnerability.  You mention RealSecure Network
    Sensor detecting Slammer, I was under the impression that it was the
    RealSecure Intrusion Protection that detected Slammer from September, ie the
    firewalling element of the Sensor itself rather than packets promiscuously
    off the wire.  If it is the NIDS that detects it, I'd be very interested in
    the signature.
    
    I think there is some scope in researching signatures for those
    vulnerabilities that lend themselves to propagation within a worm.  Perhaps
    identifying normal behaviour on the service etc found to be vulnerable then
    alerting on those that fall outside.  However, many of the signatures
    produced by the IDS vendors themselves have to be turned off through false
    positives, so what chance has a mere mortal such as myself in producing a
    solid signature that is flexible enough to cover the full exploit scope of a
    vulnerability.
    
    As you pointed out the increase in UDP port probes centred on 1434 should
    get the IDS singing, especially fed through a visualization tool. (pretty
    picture)
    just my $0.02
    
    take care
    -andy
    
    
    
    
    
    Taliskers Network Security Tools
    http://www.networkintrusion.co.uk
    ----- Original Message -----
    From: "Andrew Plato" <aplato@private>
    To: <crime@private>; <focus-ids@private>
    Sent: Tuesday, January 28, 2003 10:49 PM
    Subject: SQLSlammer Worm & IDSs
    
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    I am curious what people were seeing with SQL Slammer and their IDSs.
    I've been collecting anecdotal evidence that Slammer flew right past
    a lot of IDSs.
    
    I know that Snort and BlackICE just reported UDP port probes. Snort
    got a sig early Saturday morning however. RealSecure sensors had a
    signature in September that seemed to worked.
    
    I am curious what anybody running Cisco's IDS, Symantec Manhunt,
    Enterasys Dragon, NFR, Intruvert, or any other IDS saw. Was it
    identified as a worm or just a port probe?
    
    What has me concerned is that the smallness of this worm made it look
    like nothing more than a UDP probe. As such, a lot of IDSs didn't
    consider this a very important event, since a UDP port probe is a
    pretty common event on any network.
    
    ___________________________________
    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Corporation
    
    503-644-5656 Office
    503-644-8574 Fax
    503-201-0821 Mobile
    www.anitian.com
    ___________________________________
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13
    
    iD8DBQE+NwjfRFTPAXEeGWkRAoYjAJ9YQ4Y5zrWtbukdw1sAp2bhyFkoIACfZkdl
    ev2MhAeNBwJaoTEXZDG+/mk==cGis
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Sun Feb 09 2003 - 20:28:31 PST