IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Did IDSes detect the SQL worm?

From: Terence Runge <Terence.Runge () veritas com>
Date: Mon, 3 Feb 2003 08:25:04 -0800 
Our IDS sensors were extremely effective in detecting this activity,
especially during the early stages without any specific sigs for Slammer.
The real savior here was our noc staff who detected the rise in 1434
traffic, made the right contacts and did some initial research into the
activity across the network. It was extremely helpful to start at such a
granular level and not have to rely entirely on a pre-defined sig.

The end result was minimal impact. A few small scripts and pro-tem sigs were
kept running until the vendors made available their slammer signatures.

Terence Runge
VERITAS Software Corporation

-----Original Message-----
From: Scott C. Kennedy [mailto:sck () infosyscorp com] 
Sent: Friday, January 31, 2003 11:02 AM
To: Kurt Seifried
Cc: focus-ids () securityfocus com
Subject: Re: Did IDSes detect the SQL worm?

We caught the first few hundred packets, verified firewall rulesets, and 
then called upstream to warn
our providers, and they were not aware of the problem until we called, 
so I'd say our
reaction due to the IDS systems was very positive. Within an hour we'd 
contacted most of
our customer base, all of the upstream providers, had tuned our IDS 
system to only alert
for out-bound worm packets and went back to watching the rest of the net 
panic while
the peers got slammed.

Kurt Seifried wrote:


So it appears that a lot of IDS systems detected this worm and alerted
people. Did this actually help much? I imagine by the time most admins got
the alert if they had vulnerable machines/networks they were already

falling

apart under the load of packets. Does anyone have a success story with
respect to an IDS, vulnerable servers, and this attack?


Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/



 


-- 
 Scott C. Kennedy
 Lead Security Architect/ Director of Security
 Infosys Corporation
 Work: (877) 772-2347
 PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE27C1102
Previous By Date Next
Previous By Thread Next

Current thread: