Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All
Documentation Search
Example: Using Profiler to Investigate Unanticipated Attacks
Suppose your corporate security policy does not permit SQL servers on the internal network. However, during a regular Microsoft update, SQL applications are installed on a network server, without your knowledge. Because you are not aware that an SQL server is running on your network, you have not configured security policy rules to block SQL attacks.
Suppose you receive a call informing you that the SQL Slammer worm attacks and infects your network.
To investigate:
- Create a custom TCP service object to represent Microsoft SQL (default port: TCP/1433).
- Restart the Profiler.
- In the NSM navigation tree, select Investigate > Security Monitor > Profiler to display the Profiler viewer.
- Click the Network Profiler tab and review the source, destination, and service data.
- Use a filter to display only records matching the
SQL service object you created in Step 1.
The filtered view highlights the SQL servers in your network.
Take appropriate measures to secure the network, such as:
- Applying patches.
- Removing the components from your network.
- Removing SQL server from all components.
- Creating a rule in your security policy that drops all SQL connections between your internal network objects.
