[Snort-sigs] Snort SIG update - false positives on SID 2329
Dr. Christoph Wegener
wegener at ...2349...
Mon Mar 29 05:10:38 EST 2004
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe
response overflow attempt"; content:"|05|"; depth:1;
byte_test:2,>,512,1; content:"|3b|"; distance:0;
isdataat:512,relative; content:!"|3b|"; within:512;
security/bulletin/MS04-003.asp; classtype:attempted-user; sid:2329;
This event is generated when an attempt is made to exploit a known
vulnerability in Microsoft Windows Data Access Components.
Ease of Attack:
I have noticed false positives with our NFS servers when the payload
fits the snort rule.
Maybe exclude UDP port 2049 (NFS).
More information about the Snort-sigs