The Slammer (or Sapphire) worm was one of the fastest-spreading worms in history. It exploited a stack overflow vulnerability in Microsoft SQL Server 2000 and was delivered in a single 404-byte UDP packet (including the IP header) to port 1434.
The Slammer worm can easily be identified in your iptables log data as a packet to UDP port 1434 and an IP LEN field of 404. The psad signature set includes the PSAD-CUSTOM Slammer communication attempt signature to alert you when the worm hits one of your systems. Let's see if the Slammer worm was active against the honeynet from external sources:
# psad -m iptables.data --gnuplot --CSV-fields "timestamp dp:1434,counthour" --gnuplot-graph lines --gnuplot-xrange 1140887484:1143867180 --CSV-regex "LEN=404.*PROTO=UDP" --CSV-neg-regex "SRC=11.11." --gnuplot-file-prefix fig14-9 $ gnuplot fig14-9.gnu
Gnuplot produces the line graph shown in Figure 14-9. (Note the LEN=404 criterion in the --CSV-regex command-line argument in bold above; this is critical because there are other UDP packets to port 1434 logged in the Scan34 data set, but they are not from the Slammer worm because the total packet length is not 404 bytes.)
Indeed, the Slammer worm was active against the honeynet, and the large spike on March 20 shows a peak activity of about 57 packets per hour.
This is a significant amount of activity, but what happens when we change the time scale? Let's ratchet the time scale up to see what the Slammer activity was minute by minute (note the use of the countmin option on the psad command this time):
# psad -m iptables.data --gnuplot --CSV-fields "timestamp dp:1434,countmin" --gnuplot-graph lines --gnuplot-xrange 1140887484:1143867180 --CSV-regex "LEN=404.*PROTO=UDP" --CSV-neg-regex "SRC=11.11." --gnuplot-file-prefix fig14-10
$ gnuplot fig14-10.gnu
Now the Slammer worm activity, shown in Figure 14-10, doesn't look quite as bad as the sharp spike in Figure 14-9, but this is just because the time scale has changed. The number of packets from systems infected with the Slammer worm did not change, but on March 21 a maximum of four packets is established for the entire five-week period covered by the Scan34 challenge.
Was this article helpful?