02-27-2003 10:10 AM - edited 03-09-2019 02:18 AM
Since we upgraded our 4210 to Signature release S40 we are now detecting SQL Slammer worm alarms which appear to be false positives. The alarm indicates the Source IP as our DNS and Souce Port of 53 to Dest IP and Dest Port of 1434 UDP. In previous signatures, this alert appeared to be working correctly. Has anyone else seen this, or confirmed this may be reversed connections?
02-27-2003 05:04 PM
The regex was modified in S40 to make the signature more generic (i.e. to catch any variations of the Slammer worm). Unfornately, it was made too generic. DNS and Kerberos traffic have shown to cause false positives. We have made an adjustment to the regex for this signature which will sihip with the S41 update sometime next week.
03-13-2003 08:06 AM
Can you explain to me, if this signature trigger with every connection to 1434 port, or the packet is inspected to catch this particular worm?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide