Here's what that rule is looking for:
On any port of any host designated as a SQL SERVER (in the var in your
snort.conf file)
content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0;
isdataat:512,relative; content:!"|3B|"; within:512;
Which translates to:
Enqueue followed by ";" between 2 and 512 bytes later followed by another
";" within 512 bytes of the previous one with data in between the
semicolons. Engueuing is the process of putting items in a queue, which is
frequently used in databases.
Can you post the payload?
If you have sql servers on your network, you should define them in the
SQL_SERVERS var in snort.conf. That will eliminate useless alerts like
this one.
--On Wednesday, March 29, 2006 08:53:46 -0500 Jeffery Gunter
<jgunter@cbetn.com> wrote:
Hi Folks;
Iâm quite new to snort. I have a user using Win Media Player to listen
to streaming radio from WIMZ out of Knoxville, TN. My issue is that it is
causing snort to go crazy. I've received over 100 of the following
messages:
IDS:S=snort:ID=1:[1:2329:6] MS-SQL probe response overflow attempt
[Classification: Attempted User Privilege Gain] [Priority: 1]: {UDP}
66.250.188.37:2267 -> 10.88.220.65:1215
My user's ip is 65 and when I had her stop accessing the stream the
messages stopped? What is up with this? I have no SQL services running on
her computer?
Thanks for your help!
J
Jeffery Gunter | Chief Information Officer | Citizens Bank of East
Tennessee | http://www.cbetn.com
email: jgunter@cbetn.com
Land: 423-272-2200 x17
Cell: 423-754-5157
Fax: 423-272-2322
------_>extPart_001_01C65338.3329CF40--
This e-mail was scanned for viruses.
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
p7seGXamtMtxD.p7s
Description: S/MIME cryptographic signature
