-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Security Notification
Configuration to allow BlackICE to Detect and Respond to SQL Slammer
(AKA: Sapphire)
Many BlackICE users have contacted me regarding the recent SQL
Slammer worm and its effects. Currently, BlackICE is only reporting
SQL Slammer as a UDP port probe. This is due to the extremely small
size of the Slammer worm. It is contained within a single UDP
datagram. RealSecure Network Sensor users have a signature that was
available in September of 2002 that detected this worm. However,
BlackICE had not gotten that update, yet.
Anitian has devised a configuration fix that will allow your BlackICE
agents (Sentry, Guard, Server, and Workstation) detect and respond to
the recent SQL Slammer worm. This configuration will cause the
BlackICE software to identify UDP probes on port 1434 as a "Code Red
II+" and then block the IP address of the offending system
automatically.
Obviously SQL Slammer is not a Code Red attack, but we choose this
signature because this signature initiates an immediate firewall
block from the offending IP address. This doesn't mean your system
will be entirely safe, but it will prevent additional compromise and
block the attacker for an hour.
NOTE: This configuration is not endorsed by Internet Security Systems
(yet).
- - From BlackICE Local Console
1. Stop the BlackICE service.
2. Locate the sigs.ini file in the directory where BlackICE is
installed.
3. Right-click on this file and uncheck the read-only option.
4. Open this file in Notepad, or other such text editor.
5. Insert the following line
udpprobe.2004603.1434=SQLSlammer
6. Save the file.
7. Once saved, return the file to read-only.
- - From ICEcap
You will need to repeat these steps for every IDS configuration where
you wish to deploy this signature modification.
1. Logon to ICEcap.
2. Go to the IDS Configuration Policy Element and click on Edit for
the IDS configuration where you wish to make this change.
3. Click on Custom.
4. Click Add Parameter.
5. In the NAME box enter: udpprobe.2004603.1434
6. In the VALUE box enter: SQLSlammer
7. Enter anything you want in the Comments box.
8. Click Save Settings
If you wish to use a different signature, one that will not initiate
a firewall block, you might consider Worm Extensions (signature ID:
2002209). Replace this signature ID with the 2004603 in the above
examples.
If you are filtering UDP port 1434 at your border firewall or you
have BlackICE in Paranoid mode, you should remain unaffected by this
worm. In paranoid mode, BlackICE blocks all upper UDP ports by
default.
If you have any questions or comments, please contact me at your
convenience.
___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation
503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13
iD8DBQE+N1X4RFTPAXEeGWkRAkcxAJ40z80Jygrs9ywgaeMpNDEU4phBtgCfWZZ8
rspYP6ihtlkA10rfuKktMsk==UOAS
-----END PGP SIGNATURE-----
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
