Andrew Theorizing and without playing with SQL and a protocol Analyser I'd suggest that it would be difficult to have pre-empted the Slammer with a simple grepping signature, furthermore the original vulnerability has three issues. 2 Buffer Overflows and a DOS on the SQL resolution service. There are some signatures that will trigger on expected padding within a buffer overflow, but in 376 bytes there's not a great deal. So would that be 3 grepping signatures for a single vulnerability. You mention RealSecure Network Sensor detecting Slammer, I was under the impression that it was the RealSecure Intrusion Protection that detected Slammer from September, ie the firewalling element of the Sensor itself rather than packets promiscuously off the wire. If it is the NIDS that detects it, I'd be very interested in the signature. I think there is some scope in researching signatures for those vulnerabilities that lend themselves to propagation within a worm. Perhaps identifying normal behaviour on the service etc found to be vulnerable then alerting on those that fall outside. However, many of the signatures produced by the IDS vendors themselves have to be turned off through false positives, so what chance has a mere mortal such as myself in producing a solid signature that is flexible enough to cover the full exploit scope of a vulnerability. As you pointed out the increase in UDP port probes centred on 1434 should get the IDS singing, especially fed through a visualization tool. (pretty picture) just my $0.02 take care -andy Taliskers Network Security Tools http://www.networkintrusion.co.uk ----- Original Message ----- From: "Andrew Plato" <aplato@private> To: <crime@private>; <focus-ids@private> Sent: Tuesday, January 28, 2003 10:49 PM Subject: SQLSlammer Worm & IDSs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am curious what people were seeing with SQL Slammer and their IDSs. I've been collecting anecdotal evidence that Slammer flew right past a lot of IDSs. I know that Snort and BlackICE just reported UDP port probes. Snort got a sig early Saturday morning however. RealSecure sensors had a signature in September that seemed to worked. I am curious what anybody running Cisco's IDS, Symantec Manhunt, Enterasys Dragon, NFR, Intruvert, or any other IDS saw. Was it identified as a worm or just a port probe? What has me concerned is that the smallness of this worm made it look like nothing more than a UDP probe. As such, a lot of IDSs didn't consider this a very important event, since a UDP port probe is a pretty common event on any network. ___________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13 iD8DBQE+NwjfRFTPAXEeGWkRAoYjAJ9YQ4Y5zrWtbukdw1sAp2bhyFkoIACfZkdl ev2MhAeNBwJaoTEXZDG+/mk==cGis -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 21:15:39 PST