[Snort-sigs] Snort SIG update - false positives on SID 2329

Nigel Houghton nigel at ...435...
Mon Mar 29 06:31:03 EST 2004


On  0, "Dr. Christoph Wegener" <wegener at ...2349...> allegedly wrote:
> Rule:
> alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe
> response overflow attempt"; content:"|05|"; depth:1;
> byte_test:2,>,512,1; content:"|3b|"; distance:0;
> isdataat:512,relative; content:!"|3b|"; within:512;
> reference:cve,CAN-2003-0903; reference:bugtraq,9407;
> reference:url,www.microsoft.com/technet/
> security/bulletin/MS04-003.asp; classtype:attempted-user; sid:2329;
> rev:2;)
> --
> Sid:
> 2329
> --
> Summary:
> This event is generated when an attempt is made to exploit a known
> vulnerability in Microsoft Windows Data Access Components.
> --
> False Positives:
> I have noticed false positives with our NFS servers when the payload
> fits the snort rule.

What is the $SQL_SERVERS variable set to?

> Corrective Action:
> Maybe exclude UDP port 2049 (NFS).

This may lead to False negatives.

-------------------------------------------------------------
Nigel Houghton  Research Engineer   Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.




More information about the Snort-sigs mailing list