The BlackICE/Sentry products do NOT detect sapphire as ISS felt it best not to update
that product line. The following SQL scripts will find all UDP 1434 port probes from
the past hour. They work well for me, but use at your own risk, I am not responsible
for your actions or results, blah blah. They must be run from a MS Query Analizer
window, a SQL tool installed with SQL server. The icecap SQL window does not like
these.
-Tom
---- Summary of Active Systems, past hour
Select intr.bestName as 'IntruderName',
intr.networkAddress as 'IntruderIP',
intr.loccode,
count(*)
FROM iceevents ie
JOIN host intr ON ie.intruderID = intr.hostID
LEFT JOIN eventParameters ep ON ep.EventID = ie.eventid
WHERE ie.issuename = 'udp port probe' and ep.paramvalue = '1434'
and ie.startTime > dateadd(minute,-60,getdate())
GROUP BY intr.bestname, intr.networkaddress
ORDER BY count(*) desc
--- Details of active systems
Select ie.startTime as 'StartTime',
ie.EndTime as 'EndTime',
intr.bestName as 'IntruderName',
intr.networkAddress as 'IntruderIP',
targ.bestname as 'TargetName',
targ.networkAddress as 'TargetIP',
det.BestName as 'Detector',
a.accountName as 'AccountName',
pg.groupName as 'GroupName',
ie.IssueName as 'IssueName',
ep.ParamName as 'Parameter',
ep.ParamValue as 'Value'
FROM iceevents ie
JOIN host det ON ie.detectorID = det.hostID
JOIN host intr ON ie.intruderID = intr.hostID
JOIN host targ ON ie.targetID = targ.hostID
LEFT JOIN eventParameters ep ON ep.EventID = ie.eventid
JOIN account a ON a.accountID = det.AccountID
JOIN icecapagent ia ON det.hostid = ia.agenthostid
JOIN policygroup pg ON ia.agentgroupid = pg.groupid
WHERE ie.startTime >= dateadd(hour,-1,getdate())
and ie.issuename = 'UDP Port Probe'
and ep.paramValue = '1434'
ORDER BY ie.StartTime desc
-----Original Message-----
From: Rouland, Chris (ISSAtlanta) [mailto:[EMAIL PROTECTED]]
Sent: Sunday, January 26, 2003 2:28 PM
To: Christopher Lyon; [EMAIL PROTECTED]
Subject: RE: [ISSForum] SQL Slammer
Christopher,
The RealSecure network sensor signature that shipped in RealSecure XPUs
20.4/5.3 on 9/17/02 which detects the exploit being used by the SQL
Slammer worm is named SQL_SSRP_StackBo.
-Chris
-----Original Message-----
From: Christopher Lyon [mailto:[EMAIL PROTECTED]]
Sent: Sunday, January 26, 2003 4:37 AM
To: [EMAIL PROTECTED]
Subject: [ISSForum] SQL Slammer
According to ISS' home page the sensors can detect this as of September
2002. I did a search for it on the signature base that I have but can't
seem to find it. I tried both Slammer and SQLExp. Does it use a
different name?
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
