SQL (Slammer) Worm Detection using sFlow

• Previous message: Neil McKee: "Re: Configuration Parameters"
• Next in thread: Peter Phaal: "RE: SQL (Slammer) Worm Detection using sFlow"
• Reply: Peter Phaal: "RE: SQL (Slammer) Worm Detection using sFlow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Worm infections can often be traced using sFlow. In the case of the Slammer
worm UDP packets destined to port 1434 with a 01-01-01 pattern in the data
are a clear signature that can be used to identify infected hosts.

Here is a simple script that makes use of sFlow to identify hosts infected
with the Slammer worm.

sflowtool | awk --source '
/sampleType/ {flag = 0;}
/01-01-01-01-01-01-01-01-01-01-01/ {flag = 1;}
/srcIP/ { sourceAddress = $2;}
/UDPDstPort/ {
  if(flag && ($2 == 1434)) {
    if(!infected[sourceAddress]) {
      infected[sourceAddress] = "yes";
      print sourceAddress;
    }
  }
}'

Note:
1. The sflowtool utility can be downloaded from:
<http://www.inmon.com/sflowTools.htm>
2. You will need to configure your routers/switches to forward sFlow to the
host running the script.

Alternatively you could use sflowtool to feed sFlow data into an intrusion
detection tool like SNORT <http://www.snort.org/>. This allows you to access
a large database of security related signatures, including one for the
Slammer worm.

----------------------
Peter Phaal
InMon Corp.

Peter_Phaal@inmon.com

• Next message: Peter Phaal: "RE: SQL (Slammer) Worm Detection using sFlow"
• Previous message: Neil McKee: "Re: Configuration Parameters"
• Next in thread: Peter Phaal: "RE: SQL (Slammer) Worm Detection using sFlow"
• Reply: Peter Phaal: "RE: SQL (Slammer) Worm Detection using sFlow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.4 : 01/27/03 PST