SQL (Slammer) Worm Detection using sFlow

From: Peter Phaal (peter.phaal@inmon.com)
Date: 01/27/03

  • Next message: Peter Phaal: "RE: SQL (Slammer) Worm Detection using sFlow"

    Worm infections can often be traced using sFlow. In the case of the Slammer
    worm UDP packets destined to port 1434 with a 01-01-01 pattern in the data
    are a clear signature that can be used to identify infected hosts.

    Here is a simple script that makes use of sFlow to identify hosts infected
    with the Slammer worm.

    sflowtool | awk --source '
    /sampleType/ {flag = 0;}
    /01-01-01-01-01-01-01-01-01-01-01/ {flag = 1;}
    /srcIP/ { sourceAddress = $2;}
    /UDPDstPort/ {
      if(flag && ($2 == 1434)) {
        if(!infected[sourceAddress]) {
          infected[sourceAddress] = "yes";
          print sourceAddress;

    1. The sflowtool utility can be downloaded from:
    2. You will need to configure your routers/switches to forward sFlow to the
    host running the script.

    Alternatively you could use sflowtool to feed sFlow data into an intrusion
    detection tool like SNORT <http://www.snort.org/>. This allows you to access
    a large database of security related signatures, including one for the
    Slammer worm.

    Peter Phaal
    InMon Corp.


    This archive was generated by hypermail 2.1.4 : 01/27/03 PST