North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Symantec detected Slammer worm "hours" before
On Thu, 13 Feb 2003, Martin Hannigan wrote: > > On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote: > > > > > > Wow, Symantec is making an amazing claim. They were able to detect > > the slammer worm "hours" before. Did anyone receive early alerts from > > Symantec about the SQL slammer worm hours earlier? Academics have > > estimated the worm spread world-wide, and reached its maximum scanning > > rate in less than 10 minutes. > > > > I assume Symantec has some data to back up their claim. > > > > http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 > > "For example, the DeepSight Threat Management System discovered the > > Slammer worm hours before it began rapidly propagating. Symantec's > > DeepSight Threat Management System then delivered timely alerts and > > procedures, enabling administrators to protect against the attack > > before their environment was compromised." > > > > > One way they could have known about it is that some of their > customers got nailed _and called them_. > > The other is IDS signature. I'm not sure if there was one already > out there that would have caught this, but if the customers were > calling they would have been able to create one quickly, as > people did. > > If there's no alarm, no event tripped, there is no correlation > data. An other possibility is that they wrote the slammer them self so they had early knowledge of it :-) K
|