Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Symantec detected Slammer worm "hours" before

  • From: Martin Hannigan
  • Date: Thu Feb 13 15:37:03 2003

On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote:
> 
> 
> Wow, Symantec is making an amazing claim.  They were able to detect
> the slammer worm "hours" before.  Did anyone receive early alerts from
> Symantec about the SQL slammer worm hours earlier?  Academics have
> estimated the worm spread world-wide, and reached its maximum scanning
> rate in less than 10 minutes.
> 
> I assume Symantec has some data to back up their claim.
> 
> http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0
>   "For example, the DeepSight Threat Management System discovered the
>   Slammer worm hours before it began rapidly propagating. Symantec's
>   DeepSight Threat Management System then delivered timely alerts and
>   procedures, enabling administrators to protect against the attack
>   before their environment was compromised."
> 


One way they could have known about it is that some of their
customers got nailed _and called them_.

The other is IDS signature. I'm not sure if there was one already
out there that would have caught this, but if the customers were
calling they would have been able to create one quickly, as
people did.

If there's no alarm, no event tripped, there is no correlation
data.

YMMV.





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.