Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Connection information of SIG ID 4701

Since we upgraded our 4210 to Signature release S40 we are now detecting SQL Slammer worm alarms which appear to be false positives. The alarm indicates the Source IP as our DNS and Souce Port of 53 to Dest IP and Dest Port of 1434 UDP. In previous signatures, this alert appeared to be working correctly. Has anyone else seen this, or confirmed this may be reversed connections?

2 REPLIES
Bronze

Re: Connection information of SIG ID 4701

The regex was modified in S40 to make the signature more generic (i.e. to catch any variations of the Slammer worm). Unfornately, it was made too generic. DNS and Kerberos traffic have shown to cause false positives. We have made an adjustment to the regex for this signature which will sihip with the S41 update sometime next week.

New Member

Re: Connection information of SIG ID 4701

Can you explain to me, if this signature trigger with every connection to 1434 port, or the packet is inspected to catch this particular worm?

93
Views
0
Helpful
2
Replies