[logs] Reliably detecting things like the SQL worm....

From: Rainer Gerhards (rgerhardsat_private)
Date: Sun Jan 26 2003 - 02:00:04 PST

  • Next message: Chris Adams: "Re: [logs] Reliably detecting things like the SQL worm...."

    Hi all,
    This is partly a reply to Tina's question for Windows Event Log samples
    of the new SQL worm. I, too, would be interested in seeing some, but I
    think the event log is *not* the right place to look into in order to
    detect such activity in near-real-time. The reason is that I think
    (hope) that those caring enough to look into such activity will
    typically set the proper firewall filters to prevent them.
    A typical scenario I have in my mind is a colocation Internet center,
    where the network itself is carfully managed but some of the sites are
    simply not carefully administratored, causing the whole network trouble.
    In such a scenario,m you don't have access to the event logs at all. You
    have, however, access to the firewall and router logs. And this is the
    place where I would aid my detection logic on.
    Of course, I should be able to detect that there is something going on
    due to the sharp increase in network traffic and - as far as the
    firewalled sites are concerned - the number of firewall alerts. HOWEVER,
    most of this data is reported by syslog. This being UDP is one of the
    first things to be thrown away during congestion. I think the worm is
    the first situation that in reality proves whether or not syslog is able
    to provide a high enough message delivery rate to trigger alerts - or be
    of no use at all.
    We did fortunately have not enough malicious traffic on our firewall to
    prove this point. We saw large amounts of traffic, but no congestion,
    not even on the external side of the firewall. So our own logs and
    syslog loss ratios (there were none on the internal side) do not apply.
    Is there anybody hanging around who has access to the logs in a facility
    that was severely hit? If so, were there successful syslog messages? Or
    did other methods prove to be more effective?
    IMHO, I fear this will not be the last incident. We had Nimda and
    CodeRed and each time we thought it couldn't come worse. But it did.
    Also, DDoS can definitely be used with political motivation. In short:
    how can we reliably detect things such this SQL worm. Things that we
    don't even know what they will effect. Maybe next time we have a flaw in
    ICMP or whatever (not predicting or assumeing/suggesting something here
    - just making a totally wild guess to show that it might hit anywhere
    Any thoughts, experiences or samples?
    Rainer Gerhards
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Sun Jan 26 2003 - 09:13:40 PST