Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
632
Views
0
Helpful
8
Replies

Signature Suggestion for MSSQL Slammer.

gpoer
Level 1
Level 1

‎01-25-2003 09:31 AM - edited ‎03-09-2019 01:50 AM

Is there a signature already developed that I do not have. I have added a custom signature looking for atomic udp port 1434. But I wanted to make sure that there isn't already a signature that perhaps I am missing.

thanks,

Geoff

Labels:
0 Helpful
8 Replies 8

klwiley
Cisco Employee
Cisco Employee

‎01-25-2003 09:46 AM

We are working on a better signature and will have something within the next couple of hours. Please be checking back here once in awhile for updates. We will keep in touch through this web forum as well as through the active update mechanisms.

KLW

0 Helpful

gpoer
Level 1
Level 1
In response to klwiley

‎01-25-2003 09:55 AM

GREAT THANKS!

0 Helpful

jakasper
Level 1
Level 1
In response to gpoer

‎01-25-2003 10:43 AM

Hello All,

Here is a sigwiz screen snapshot of our first stab at this

signature.

We are currently testing it, and will have more info in a bit,

but wanted to get this out asap.

(Use whatever SIGID number you want in the range 20000-50000).

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine STRING.UDP SIGID 24701

SigName: SQL Slammer

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireAll

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength = 360

8 - MinHits =

9 - MinMatchLength =

10 * RegexString = \x04\x01\x01\x01\x01\x01.*[.][Dd][Ll][Ll]

11 - ResetAfterIdle = 15

12 * ServicePorts = 1434

13 - SigComment =

14 - SigName = SQL Slammer

15 - SigStringInfo =

16 - ThrottleInterval = 15

17 - WantFrag =

We put in the .*dll at the end to make it a little more specific.

Also, the MaxInspectLength will be used to limit deep packet inspection,

hopefully improving fidelity.

We may have to tweak these settings a little bit, but here is the

first response to the worm...

Regards,

-JK

0 Helpful

fearrudi
Level 1
Level 1
In response to jakasper

‎01-26-2003 07:07 AM

when you will have the new signature?

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to fearrudi

‎01-27-2003 12:16 PM

The 3.1(3)S39 Signature Update was posted to CCO yesterday (1/26/03).

http://www.cisco.com/cgi-bin/tablebuild.pl/ids-appsens

0 Helpful

ljones
Level 1
Level 1
In response to marcabal

‎01-28-2003 05:39 AM

Would/should the Slammer Worm also trigger the SQL Worm/Default sa account access signatures?

0 Helpful

jteixido
Level 1
Level 1
In response to marcabal

‎01-28-2003 06:24 AM

I see the signature for the IDS appliance of s39, but what about the signature upgrade for CSPM?

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to jteixido

‎01-28-2003 03:28 PM

They are working on it, and will have it posted as soon as available. You shoul be able to apply S39 to the sensor. The viewer in CSPM will see the alarm as a number instead of a name until the CSPM can be updated.

0 Helpful
Customers Also Viewed These Support Documents