CRIME Re: SQLSlammer Worm & IDSs

From: Talisker (talisker@private)
Date: Wed Jan 29 2003 - 13:30:55 PST


Andrew
Theorizing and without playing with SQL and a protocol Analyser I'd suggest
that it would be difficult to have pre-empted the Slammer with a simple
grepping signature, furthermore the original vulnerability has three issues.
2 Buffer Overflows and a DOS on the SQL resolution service.  There are some
signatures that will trigger on expected padding within a buffer overflow,
but in 376 bytes there's not a great deal.  So would that be 3 grepping
signatures for a single vulnerability.  You mention RealSecure Network
Sensor detecting Slammer, I was under the impression that it was the
RealSecure Intrusion Protection that detected Slammer from September, ie the
firewalling element of the Sensor itself rather than packets promiscuously
off the wire.  If it is the NIDS that detects it, I'd be very interested in
the signature.

I think there is some scope in researching signatures for those
vulnerabilities that lend themselves to propagation within a worm.  Perhaps
identifying normal behaviour on the service etc found to be vulnerable then
alerting on those that fall outside.  However, many of the signatures
produced by the IDS vendors themselves have to be turned off through false
positives, so what chance has a mere mortal such as myself in producing a
solid signature that is flexible enough to cover the full exploit scope of a
vulnerability.

As you pointed out the increase in UDP port probes centred on 1434 should
get the IDS singing, especially fed through a visualization tool. (pretty
picture)
just my $0.02

take care
-andy





Taliskers Network Security Tools
http://www.networkintrusion.co.uk
----- Original Message -----
From: "Andrew Plato" <aplato@private>
To: <crime@private>; <focus-ids@private>
Sent: Tuesday, January 28, 2003 10:49 PM
Subject: SQLSlammer Worm & IDSs


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am curious what people were seeing with SQL Slammer and their IDSs.
I've been collecting anecdotal evidence that Slammer flew right past
a lot of IDSs.

I know that Snort and BlackICE just reported UDP port probes. Snort
got a sig early Saturday morning however. RealSecure sensors had a
signature in September that seemed to worked.

I am curious what anybody running Cisco's IDS, Symantec Manhunt,
Enterasys Dragon, NFR, Intruvert, or any other IDS saw. Was it
identified as a worm or just a port probe?

What has me concerned is that the smallness of this worm made it look
like nothing more than a UDP probe. As such, a lot of IDSs didn't
consider this a very important event, since a UDP port probe is a
pretty common event on any network.

___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation

503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13

iD8DBQE+NwjfRFTPAXEeGWkRAoYjAJ9YQ4Y5zrWtbukdw1sAp2bhyFkoIACfZkdl
ev2MhAeNBwJaoTEXZDG+/mk==cGis
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 21:15:39 PST