RE: SQL (Slammer) Worm Detection using sFlow

From: Peter Phaal (peter.phaal@inmon.com)
Date: 02/03/03

  • Next message: Neil McKee: "sFlow v5 source code"

    The previous script reported the source IP addresses associated with
    SQL/Slammer worm traffic. This wasn't very useful since the worm generates
    packets using random source IP addresses.

    However, sFlow also reports MAC addresses. Simply change srcIP to srcMAC in
    the script to report on the MAC addresses associated with infected hosts.
    sFlow also contains other information that can help identify the location of
    infected hosts, including the router IP address and ingress port.

    Peter

    > -----Original Message-----
    > From: owner-sflow@inmon.com [mailto:owner-sflow@inmon.com]On Behalf Of
    > Peter Phaal
    > Sent: Monday, January 27, 2003 3:39 PM
    > To: sflow@sflow.org
    > Subject: [sFlow] SQL (Slammer) Worm Detection using sFlow
    >
    >
    > Worm infections can often be traced using sFlow. In the case
    > of the Slammer
    > worm UDP packets destined to port 1434 with a 01-01-01
    > pattern in the data
    > are a clear signature that can be used to identify infected hosts.
    >
    > Here is a simple script that makes use of sFlow to identify
    > hosts infected
    > with the Slammer worm.
    >
    > sflowtool | awk --source '
    > /sampleType/ {flag = 0;}
    > /01-01-01-01-01-01-01-01-01-01-01/ {flag = 1;}
    > /srcIP/ { sourceAddress = $2;}
    > /UDPDstPort/ {
    > if(flag && ($2 == 1434)) {
    > if(!infected[sourceAddress]) {
    > infected[sourceAddress] = "yes";
    > print sourceAddress;
    > }
    > }
    > }'
    >
    > Note:
    > 1. The sflowtool utility can be downloaded from:
    > <http://www.inmon.com/sflowTools.htm>
    > 2. You will need to configure your routers/switches to
    > forward sFlow to the
    > host running the script.
    >
    > Alternatively you could use sflowtool to feed sFlow data into
    > an intrusion
    > detection tool like SNORT <http://www.snort.org/>. This
    > allows you to access
    > a large database of security related signatures, including one for the
    > Slammer worm.
    >
    > ----------------------
    > Peter Phaal
    > InMon Corp.
    >
    > Peter_Phaal@inmon.com
    >
    >



    This archive was generated by hypermail 2.1.4 : 02/03/03 PST