Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
229
Views
0
Helpful
2
Replies

Connection information of SIG ID 4701

7dallen
Level 1
Level 1

‎02-27-2003 10:10 AM - edited ‎03-09-2019 02:18 AM

Since we upgraded our 4210 to Signature release S40 we are now detecting SQL Slammer worm alarms which appear to be false positives. The alarm indicates the Source IP as our DNS and Souce Port of 53 to Dest IP and Dest Port of 1434 UDP. In previous signatures, this alert appeared to be working correctly. Has anyone else seen this, or confirmed this may be reversed connections?

Labels:
0 Helpful
2 Replies 2

mcerha
Level 3
Level 3

‎02-27-2003 05:04 PM

The regex was modified in S40 to make the signature more generic (i.e. to catch any variations of the Slammer worm). Unfornately, it was made too generic. DNS and Kerberos traffic have shown to cause false positives. We have made an adjustment to the regex for this signature which will sihip with the S41 update sometime next week.

0 Helpful

cburgarella
Level 1
Level 1
In response to mcerha

‎03-13-2003 08:06 AM

Can you explain to me, if this signature trigger with every connection to 1434 port, or the packet is inspected to catch this particular worm?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents