RE: SQLSlammer Worm & IDSs

["Thierry Evangelista" <thierry.evangelista () turpial net>]

Andrew,

FYI, I'm running a Dragon installation at home as well as on some customer
sites, and all of them reported the worm as a MS-SQL:REG-STACK event with
CVE and bugtraq references describing the attack. 

### Thierry ### 
"To name a thing is not the same as 'to know a thing.'"
Richard Feynman

-----Original Message-----
From: Andrew Plato [mailto:aplato () anitian com] 
Sent: mardi 28 janvier 2003 23:49
To: crime () cs pdx edu; focus-ids () securityfocus com
Subject: SQLSlammer Worm & IDSs


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am curious what people were seeing with SQL Slammer and their IDSs. I've
been collecting anecdotal evidence that Slammer flew right past a lot of
IDSs. 

I know that Snort and BlackICE just reported UDP port probes. Snort got a
sig early Saturday morning however. RealSecure sensors had a signature in
September that seemed to worked. 

I am curious what anybody running Cisco's IDS, Symantec Manhunt, Enterasys
Dragon, NFR, Intruvert, or any other IDS saw. Was it identified as a worm or
just a port probe? 

What has me concerned is that the smallness of this worm made it look like
nothing more than a UDP probe. As such, a lot of IDSs didn't consider this a
very important event, since a UDP port probe is a pretty common event on any
network.

___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation
 
503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com 
___________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13

iD8DBQE+NwjfRFTPAXEeGWkRAoYjAJ9YQ4Y5zrWtbukdw1sAp2bhyFkoIACfZkdl
ev2MhAeNBwJaoTEXZDG+/mk==cGis
-----END PGP SIGNATURE-----