Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Andrew Plato (aplato_at_anitian.com)
Date: Tue Jan 28 2003 - 22:21:58 CST
-----BEGIN PGP SIGNED MESSAGE-----
Configuration to allow BlackICE to Detect and Respond to SQL Slammer
Many BlackICE users have contacted me regarding the recent SQL
Slammer worm and its effects. Currently, BlackICE is only reporting
SQL Slammer as a UDP port probe. This is due to the extremely small
size of the Slammer worm. It is contained within a single UDP
datagram. RealSecure Network Sensor users have a signature that was
available in September of 2002 that detected this worm. However,
BlackICE had not gotten that update, yet.
Anitian has devised a configuration fix that will allow your BlackICE
agents (Sentry, Guard, Server, and Workstation) detect and respond to
the recent SQL Slammer worm. This configuration will cause the
BlackICE software to identify UDP probes on port 1434 as a "Code Red
II+" and then block the IP address of the offending system
Obviously SQL Slammer is not a Code Red attack, but we choose this
signature because this signature initiates an immediate firewall
block from the offending IP address. This doesn't mean your system
will be entirely safe, but it will prevent additional compromise and
block the attacker for an hour.
NOTE: This configuration is not endorsed by Internet Security Systems
- - From BlackICE Local Console
1. Stop the BlackICE service.
2. Locate the sigs.ini file in the directory where BlackICE is
3. Right-click on this file and uncheck the read-only option.
4. Open this file in Notepad, or other such text editor.
5. Insert the following line
6. Save the file.
7. Once saved, return the file to read-only.
- - From ICEcap
You will need to repeat these steps for every IDS configuration where
you wish to deploy this signature modification.
1. Logon to ICEcap.
2. Go to the IDS Configuration Policy Element and click on Edit for
the IDS configuration where you wish to make this change.
3. Click on Custom.
4. Click Add Parameter.
5. In the NAME box enter: udpprobe.2004603.1434
6. In the VALUE box enter: SQLSlammer
7. Enter anything you want in the Comments box.
8. Click Save Settings
If you wish to use a different signature, one that will not initiate
a firewall block, you might consider Worm Extensions (signature ID:
2002209). Replace this signature ID with the 2004603 in the above
If you are filtering UDP port 1434 at your border firewall or you
have BlackICE in Paranoid mode, you should remain unaffected by this
worm. In paranoid mode, BlackICE blocks all upper UDP ports by
If you have any questions or comments, please contact me at your
Andrew Plato, CISSP
President / Principal Consultant
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13
-----END PGP SIGNATURE-----
ISSForum mailing list
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo