[Snort-sigs] Bug found when using "output database: log, mssql" in snort.conf

Joseph Gama josephgama at ...144...
Fri Jul 9 13:02:09 EDT 2004


Hello everybody,

I am sorry for my persistence on trying to find what
was wrong with a rule. I want to thank Matthew Jonkman
and Matthew Watchinski for their help trying to figure
it out. It happens that hte rule works fine when no
database output is defined in snort.conf but when
using "output database: log, mssql" it won't fire at
all. I had MSSQL Profiler to detect what was happening
and when sending the offending packet nothing was sent
to MSSQL.

This rule works only when there is no database log:
alert udp $EXTERNAL_NET any -> $HOME_NET 1434
(msg:"MS-SQL heap overflow attempt (0A3A31)";
content:"|0A 3A 31|"; depth:3; reference:
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
classtype:attempted-dos; sid:????; rev:0;) 

This rule works always:
alert udp $EXTERNAL_NET any -> $HOME_NET 1434
(msg:"MS-SQL  (08)"; content:"|08|"; depth:1;
reference:
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
classtype:attempted-dos; sid:????; rev:0;) 

Thank you.

Peace,

Joseph Gama


		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail




More information about the Snort-sigs mailing list