CRIME Re: SQLSlammer Worm & IDSs

From: Mike Barkett (mbarkett@private)
Date: Wed Jan 29 2003 - 15:31:54 PST

Next message: kyle.r.maxwell@private: "CRIME Re: SQLSlammer Worm & IDSs"

Previous message: Mike Barkett: "CRIME Re: SQLSlammer Worm & IDSs"
Next in thread: kyle.r.maxwell@private: "CRIME Re: SQLSlammer Worm & IDSs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andrew -

Prior even to the initial propagation of the worm, NFR NID detected
exploitation of the underlying vulnerability and identified it as a "SQL
Server stack overflow."  Several major NFR customers sent us emails
complimenting us on our foresight, as their NFR NID appliances have enabled
them to detect this attack since August, 2002.  Still, our Rapid Response
Team responded the day of the outbreak, releasing an updated version of the
package that indentified the worm by its new name and included some tuning
variables to help reduce the number of alerts generated by the incoming
onslaught from other, more vulnerable sites.  From my perspective, this was
remarkably reminiscent of the Nimda epidemic, and it is another testament to
the value of advanced hybrid intrusion detection solutions.

-MAB

--
Michael A Barkett
VP, Systems Engineering
NFR Security, Inc.
5 Choke Cherry Road, Rockville, MD 20850
Phone: 240.747.3478  Fax: 240.632.0202

----- Original Message -----
From: "Andrew Plato" <aplato@private>
To: <crime@private>; <focus-ids@private>
Sent: Tuesday, January 28, 2003 5:49 PM
Subject: SQLSlammer Worm & IDSs


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am curious what people were seeing with SQL Slammer and their IDSs.
I've been collecting anecdotal evidence that Slammer flew right past
a lot of IDSs.

I know that Snort and BlackICE just reported UDP port probes. Snort
got a sig early Saturday morning however. RealSecure sensors had a
signature in September that seemed to worked.

I am curious what anybody running Cisco's IDS, Symantec Manhunt,
Enterasys Dragon, NFR, Intruvert, or any other IDS saw. Was it
identified as a worm or just a port probe?

What has me concerned is that the smallness of this worm made it look
like nothing more than a UDP probe. As such, a lot of IDSs didn't
consider this a very important event, since a UDP port probe is a
pretty common event on any network.

___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation

503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13

iD8DBQE+NwjfRFTPAXEeGWkRAoYjAJ9YQ4Y5zrWtbukdw1sAp2bhyFkoIACfZkdl
ev2MhAeNBwJaoTEXZDG+/mk==cGis
-----END PGP SIGNATURE-----

Next message: kyle.r.maxwell@private: "CRIME Re: SQLSlammer Worm & IDSs"
Previous message: Mike Barkett: "CRIME Re: SQLSlammer Worm & IDSs"
Next in thread: kyle.r.maxwell@private: "CRIME Re: SQLSlammer Worm & IDSs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 01:37:55 PST