Hi all, This is partly a reply to Tina's question for Windows Event Log samples of the new SQL worm. I, too, would be interested in seeing some, but I think the event log is *not* the right place to look into in order to detect such activity in near-real-time. The reason is that I think (hope) that those caring enough to look into such activity will typically set the proper firewall filters to prevent them. A typical scenario I have in my mind is a colocation Internet center, where the network itself is carfully managed but some of the sites are simply not carefully administratored, causing the whole network trouble. In such a scenario,m you don't have access to the event logs at all. You have, however, access to the firewall and router logs. And this is the place where I would aid my detection logic on. Of course, I should be able to detect that there is something going on due to the sharp increase in network traffic and - as far as the firewalled sites are concerned - the number of firewall alerts. HOWEVER, most of this data is reported by syslog. This being UDP is one of the first things to be thrown away during congestion. I think the worm is the first situation that in reality proves whether or not syslog is able to provide a high enough message delivery rate to trigger alerts - or be of no use at all. We did fortunately have not enough malicious traffic on our firewall to prove this point. We saw large amounts of traffic, but no congestion, not even on the external side of the firewall. So our own logs and syslog loss ratios (there were none on the internal side) do not apply. Is there anybody hanging around who has access to the logs in a facility that was severely hit? If so, were there successful syslog messages? Or did other methods prove to be more effective? IMHO, I fear this will not be the last incident. We had Nimda and CodeRed and each time we thought it couldn't come worse. But it did. Also, DDoS can definitely be used with political motivation. In short: how can we reliably detect things such this SQL worm. Things that we don't even know what they will effect. Maybe next time we have a flaw in ICMP or whatever (not predicting or assumeing/suggesting something here - just making a totally wild guess to show that it might hit anywhere ;)). Any thoughts, experiences or samples? Rainer Gerhards Adiscon _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sun Jan 26 2003 - 09:13:40 PST