Good idea, thanks. We'll adjust.
So if you're having false issues be sure to define sql_servers. And it
might be worthwhile to do an nmap sweep for 1434 to be sure you know
where those are.
Matt
James Riden wrote:
These will fire on some valid DNS replies where the ephemeral dst port
happens to be 1434/udp. Might be best to swap $HOME_NET to
$SQL_SERVERS if you think you know where your SQL servers
are. However, sadly with MSDE, it can be pretty hard to know which
machines *are* running MS-SQL.
cheers,
Jamie
alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS bouncing packets";
content:"|0A|"; depth:1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf;
classtype:attempted-dos; sid:2000381; rev:1;)
alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS attempt (08)";
content:"|08|"; depth:1; content:!"|3A|"; depth:1; offset:1; dsize:>1;
reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; sid:2000378; rev:1;)
------------------------------------------------------------------------------
#(5 - 115084) [2005-02-12 15:24:32.281]
[url/www.nextgenss.com/papers/tp-SQL2000.pdf] [snort/2000381] BLEEDING-EDGE
MS-SQL DOS bouncing packets
IPv4: 130.123.128.32 -> 130.123.144.11
hlen=5 TOS=0 dlen=142 ID=28407 flags=0 offset=0 TTL=64 chksum=46661
UDP: port=53 -> dport: 1434 len=122
Payload: length = 114
000 : 0A 57 81 83 00 01 00 00 00 01 00 00 08 69 74 30 .W...........it0
010 : 30 35 30 35 33 06 69 6E 72 6C 61 62 05 6C 6F 63 05053.inrlab.loc
020 : 61 6C 00 00 01 00 01 00 00 06 00 01 00 00 07 48 al.............H
030 : 00 40 01 41 0C 52 4F 4F 54 2D 53 45 52 56 45 52 .@.A.ROOT-SERVER
040 : 53 03 4E 45 54 00 05 4E 53 54 4C 44 0C 56 45 52 S.NET..NSTLD.VER
050 : 49 53 49 47 4E 2D 47 52 53 03 43 4F 4D 00 77 82 ISIGN-GRS.COM.w.
060 : 31 AC 00 00 07 08 00 00 03 84 00 09 3A 80 00 01 1...........:...
070 : 51 80 Q.
------------------------------------------------------------------------------
#(5 - 508848) [2005-03-12 06:46:26.783]
[url/www.nextgenss.com/papers/tp-SQL2000.pdf] [snort/2000378] BLEEDING-EDGE
MS-SQL DOS attempt (08)
IPv4: 130.123.128.32 -> 130.123.32.254
hlen=5 TOS=0 dlen=116 ID=15551 flags=0 offset=0 TTL=64 chksum=22437
UDP: port=53 -> dport: 1434 len=96
Payload: length = 88
000 : 08 9E 85 83 00 01 00 00 00 01 00 00 08 69 74 30 .............it0
010 : 30 36 31 35 30 06 6D 61 73 73 65 79 02 61 63 02 06150.massey.ac.
020 : 6E 7A 00 00 01 00 01 C0 15 00 06 00 01 00 00 1C nz..............
030 : 20 00 25 08 74 75 72 2D 6E 65 74 31 C0 15 03 73 .%.tur-net1...s
040 : 6F 61 C0 15 00 14 E3 AF 00 00 1C 20 00 00 01 2C oa......... ...,
050 : 00 12 75 00 00 00 A8 C0 ..u.....
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------
NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
