nanog mailing list archives
Re: Symantec detected Slammer worm "hours" before
From: Martin Hannigan <hannigan () fugawi net>
Date: Thu, 13 Feb 2003 15:34:18 -0500
On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote:
Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes. I assume Symantec has some data to back up their claim. http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."
One way they could have known about it is that some of their customers got nailed _and called them_. The other is IDS signature. I'm not sure if there was one already out there that would have caught this, but if the customers were calling they would have been able to create one quickly, as people did. If there's no alarm, no event tripped, there is no correlation data. YMMV.
Current thread:
- Symantec detected Slammer worm "hours" before Sean Donelan (Feb 13)
- Re: Symantec detected Slammer worm "hours" before Stephen J. Wilcox (Feb 13)
- Re: Symantec detected Slammer worm "hours" before William Warren (Feb 13)
- RE: Symantec detected Slammer worm "hours" before Al Rowland (Feb 13)
- Re: Symantec detected Slammer worm "hours" before Peter Salus (Feb 13)
- Re: Symantec detected Slammer worm "hours" before William Warren (Feb 13)
- Re: Symantec detected Slammer worm "hours" before k claffy (Feb 13)
- Re: Symantec detected Slammer worm "hours" before David Lesher (Feb 13)
- Re: Symantec detected Slammer worm "hours" before Mike Lloyd (Feb 13)
- Re: Symantec detected Slammer worm "hours" before Jack Bates (Feb 13)
- Bumps on the Net (was Re: Symantec detected Slammer worm "hours") Sean Donelan (Feb 13)
- Re: Symantec detected Slammer worm "hours" before Martin Hannigan (Feb 13)
- Re: Symantec detected Slammer worm "hours" before Krzysztof Adamski (Feb 13)
- Re: Symantec detected Slammer worm "hours" before Etaoin Shrdlu (Feb 13)
- The minutes seem like hours (was Re: Symantec detected Slammer worm "hours" before) Sean Donelan (Feb 14)
- Re: The minutes seem like hours (was Re: Symantec detected Slammer worm "hours" before) Mike Lewinski (Feb 15)
- Re: The minutes seem like hours (was Re: Symantec detected Slammer worm "hours" before) Peter Salus (Feb 15)
- Re: The minutes seem like hours (was Re: Symantec detected Slammer worm "hours" before) William Warren (Feb 15)
- The minutes seem like hours (was Re: Symantec detected Slammer worm "hours" before) Sean Donelan (Feb 14)
- Re: Symantec detected Slammer worm "hours" before Stephen J. Wilcox (Feb 13)
- RE: Symantec detected Slammer worm "hours" before Terry Baranski (Feb 23)
- Re: Symantec detected Slammer worm "hours" before Glen Fillmore (Feb 24)
- Re: Symantec detected Slammer worm "hours" before David Howe (Feb 24)
- Re: Symantec detected Slammer worm "hours" before Scott Francis (Feb 25)
- Re: Symantec detected Slammer worm "hours" before Glen Fillmore (Feb 24)