ISS RealSecure reports it as "SQL_SSRP_StackBo". There's also a signature (not triggered by this worm) for the related heap overflow (SQL_SSRP_HeapBo). And yes, the worm definitely triggers this in abundance. "Andrew Plato" <aplato@private> 01/28/2003 04:49 PM To: crime@private, focus-ids@private cc: Subject: SQLSlammer Worm & IDSs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am curious what people were seeing with SQL Slammer and their IDSs. I've been collecting anecdotal evidence that Slammer flew right past a lot of IDSs. I know that Snort and BlackICE just reported UDP port probes. Snort got a sig early Saturday morning however. RealSecure sensors had a signature in September that seemed to worked. I am curious what anybody running Cisco's IDS, Symantec Manhunt, Enterasys Dragon, NFR, Intruvert, or any other IDS saw. Was it identified as a worm or just a port probe? What has me concerned is that the smallness of this worm made it look like nothing more than a UDP probe. As such, a lot of IDSs didn't consider this a very important event, since a UDP port probe is a pretty common event on any network. ___________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13 iD8DBQE+NwjfRFTPAXEeGWkRAoYjAJ9YQ4Y5zrWtbukdw1sAp2bhyFkoIACfZkdl ev2MhAeNBwJaoTEXZDG+/mk==cGis -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 14:49:22 PST