[Snort-sigs] Snort SIG update - false positives on SID 2329

Dr. Christoph Wegener wegener at ...2349...
Mon Mar 29 05:10:38 EST 2004


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe
response overflow attempt"; content:"|05|"; depth:1;
byte_test:2,>,512,1; content:"|3b|"; distance:0;
isdataat:512,relative; content:!"|3b|"; within:512;
reference:cve,CAN-2003-0903; reference:bugtraq,9407;
reference:url,www.microsoft.com/technet/
security/bulletin/MS04-003.asp; classtype:attempted-user; sid:2329;
rev:2;)
--
Sid:
2329
--
Summary:
This event is generated when an attempt is made to exploit a known
vulnerability in Microsoft Windows Data Access Components.
--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
I have noticed false positives with our NFS servers when the payload
fits the snort rule.
--
False Negatives:

--
Corrective Action:
Maybe exclude UDP port 2049 (NFS).
--
Contributors:

--
Additional References:




More information about the Snort-sigs mailing list