IDS mailing list archives
RE: Did IDSes detect the SQL worm?
From: Terence Runge <Terence.Runge () veritas com>
Date: Mon, 3 Feb 2003 08:25:04 -0800
Our IDS sensors were extremely effective in detecting this activity, especially during the early stages without any specific sigs for Slammer. The real savior here was our noc staff who detected the rise in 1434 traffic, made the right contacts and did some initial research into the activity across the network. It was extremely helpful to start at such a granular level and not have to rely entirely on a pre-defined sig. The end result was minimal impact. A few small scripts and pro-tem sigs were kept running until the vendors made available their slammer signatures. Terence Runge VERITAS Software Corporation -----Original Message----- From: Scott C. Kennedy [mailto:sck () infosyscorp com] Sent: Friday, January 31, 2003 11:02 AM To: Kurt Seifried Cc: focus-ids () securityfocus com Subject: Re: Did IDSes detect the SQL worm? We caught the first few hundred packets, verified firewall rulesets, and then called upstream to warn our providers, and they were not aware of the problem until we called, so I'd say our reaction due to the IDS systems was very positive. Within an hour we'd contacted most of our customer base, all of the upstream providers, had tuned our IDS system to only alert for out-bound worm packets and went back to watching the rest of the net panic while the peers got slammed. Kurt Seifried wrote:
So it appears that a lot of IDS systems detected this worm and alerted people. Did this actually help much? I imagine by the time most admins got the alert if they had vulnerable machines/networks they were already
falling
apart under the load of packets. Does anyone have a success story with respect to an IDS, vulnerable servers, and this attack? Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
-- Scott C. Kennedy Lead Security Architect/ Director of Security Infosys Corporation Work: (877) 772-2347 PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE27C1102
Current thread:
- RE: Did IDSes detect the SQL worm? Chmielarski TOM-ATC090 (Feb 03)
- <Possible follow-ups>
- RE: Did IDSes detect the SQL worm? Terence Runge (Feb 05)