Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

Signature Suggestion for MSSQL Slammer.

Is there a signature already developed that I do not have. I have added a custom signature looking for atomic udp port 1434. But I wanted to make sure that there isn't already a signature that perhaps I am missing.

thanks,

Geoff

  • Other Security Subjects
8 REPLIES
Cisco Employee

Re: Signature Suggestion for MSSQL Slammer.

We are working on a better signature and will have something within the next couple of hours. Please be checking back here once in awhile for updates. We will keep in touch through this web forum as well as through the active update mechanisms.

KLW

New Member

Re: Signature Suggestion for MSSQL Slammer.

GREAT THANKS!

New Member

Re: Signature Suggestion for MSSQL Slammer.

Hello All,

Here is a sigwiz screen snapshot of our first stab at this

signature.

We are currently testing it, and will have more info in a bit,

but wanted to get this out asap.

(Use whatever SIGID number you want in the range 20000-50000).

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine STRING.UDP SIGID 24701

SigName: SQL Slammer

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireAll

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength = 360

8 - MinHits =

9 - MinMatchLength =

10 * RegexString = \x04\x01\x01\x01\x01\x01.*[.][Dd][Ll][Ll]

11 - ResetAfterIdle = 15

12 * ServicePorts = 1434

13 - SigComment =

14 - SigName = SQL Slammer

15 - SigStringInfo =

16 - ThrottleInterval = 15

17 - WantFrag =

We put in the .*dll at the end to make it a little more specific.

Also, the MaxInspectLength will be used to limit deep packet inspection,

hopefully improving fidelity.

We may have to tweak these settings a little bit, but here is the

first response to the worm...

Regards,

-JK

New Member

Re: Signature Suggestion for MSSQL Slammer.

when you will have the new signature?

Cisco Employee

Re: Signature Suggestion for MSSQL Slammer.

The 3.1(3)S39 Signature Update was posted to CCO yesterday (1/26/03).

http://www.cisco.com/cgi-bin/tablebuild.pl/ids-appsens

New Member

Re: Signature Suggestion for MSSQL Slammer.

Would/should the Slammer Worm also trigger the SQL Worm/Default sa account access signatures?

New Member

Re: Signature Suggestion for MSSQL Slammer.

I see the signature for the IDS appliance of s39, but what about the signature upgrade for CSPM?

Cisco Employee

Re: Signature Suggestion for MSSQL Slammer.

They are working on it, and will have it posted as soon as available. You shoul be able to apply S39 to the sensor. The viewer in CSPM will see the alarm as a number instead of a name until the CSPM can be updated.

140
Views
0
Helpful
8
Replies