01-25-2003 09:31 AM - edited 03-09-2019 01:50 AM
Is there a signature already developed that I do not have. I have added a custom signature looking for atomic udp port 1434. But I wanted to make sure that there isn't already a signature that perhaps I am missing.
thanks,
Geoff
01-25-2003 09:46 AM
We are working on a better signature and will have something within the next couple of hours. Please be checking back here once in awhile for updates. We will keep in touch through this web forum as well as through the active update mechanisms.
KLW
01-25-2003 09:55 AM
GREAT THANKS!
01-25-2003 10:43 AM
Hello All,
Here is a sigwiz screen snapshot of our first stab at this
signature.
We are currently testing it, and will have more info in a bit,
but wanted to get this out asap.
(Use whatever SIGID number you want in the range 20000-50000).
Tune Signature Parameters : CSIDS Signature Wizard
___________________________________________________________________________
Current Signature: Engine STRING.UDP SIGID 24701
SigName: SQL Slammer
___________________________________________________________________________
0 - Edit ALL Parameters
1 - AlarmInterval =
2 - AlarmThrottle = FireAll
3 - ChokeThreshold =
4 - Direction = ToService
5 - FlipAddr =
6 - LimitSummary =
7 - MaxInspectLength = 360
8 - MinHits =
9 - MinMatchLength =
10 * RegexString = \x04\x01\x01\x01\x01\x01.*[.][Dd][Ll][Ll]
11 - ResetAfterIdle = 15
12 * ServicePorts = 1434
13 - SigComment =
14 - SigName = SQL Slammer
15 - SigStringInfo =
16 - ThrottleInterval = 15
17 - WantFrag =
We put in the .*dll at the end to make it a little more specific.
Also, the MaxInspectLength will be used to limit deep packet inspection,
hopefully improving fidelity.
We may have to tweak these settings a little bit, but here is the
first response to the worm...
Regards,
-JK
01-26-2003 07:07 AM
when you will have the new signature?
01-27-2003 12:16 PM
The 3.1(3)S39 Signature Update was posted to CCO yesterday (1/26/03).
01-28-2003 05:39 AM
Would/should the Slammer Worm also trigger the SQL Worm/Default sa account access signatures?
01-28-2003 06:24 AM
I see the signature for the IDS appliance of s39, but what about the signature upgrade for CSPM?
01-28-2003 03:28 PM
They are working on it, and will have it posted as soon as available. You shoul be able to apply S39 to the sensor. The viewer in CSPM will see the alarm as a number instead of a name until the CSPM can be updated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide