Since we upgraded our 4210 to Signature release S40 we are now detecting SQL Slammer worm alarms which appear to be false positives. The alarm indicates the Source IP as our DNS and Souce Port of 53 to Dest IP and Dest Port of 1434 UDP. In previous signatures, this alert appeared to be working correctly. Has anyone else seen this, or confirmed this may be reversed connections?
The regex was modified in S40 to make the signature more generic (i.e. to catch any variations of the Slammer worm). Unfornately, it was made too generic. DNS and Kerberos traffic have shown to cause false positives. We have made an adjustment to the regex for this signature which will sihip with the S41 update sometime next week.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...