[Snort-sigs] MS-SQL Ping false positives

David Wilburn dwilburn at ...8...
Thu Aug 28 03:11:04 EDT 2003


The MS-SQL Ping rule (SID 2049) seems to generate nothing but false 
positives.  I don't know why, but I have seen it false alarm on traffic 
sent by hosts that I believe are SQL Servers that is sent to  I don't know what this traffic is actually for, 
however.  The payload is always one byte, 0x02.

Can anyone else confirm this as a false alarm?  Even better, can they 
tell me what this traffic is?

-Dave Wilburn

More information about the Snort-sigs mailing list