[Snort-sigs] Snort SIG update - false positives on SID 2329

Nigel Houghton nigel at ...435...
Mon Mar 29 06:31:03 EST 2004

On  0, "Dr. Christoph Wegener" <wegener at ...2349...> allegedly wrote:
> Rule:
> alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe
> response overflow attempt"; content:"|05|"; depth:1;
> byte_test:2,>,512,1; content:"|3b|"; distance:0;
> isdataat:512,relative; content:!"|3b|"; within:512;
> reference:cve,CAN-2003-0903; reference:bugtraq,9407;
> reference:url,www.microsoft.com/technet/
> security/bulletin/MS04-003.asp; classtype:attempted-user; sid:2329;
> rev:2;)
> --
> Sid:
> 2329
> --
> Summary:
> This event is generated when an attempt is made to exploit a known
> vulnerability in Microsoft Windows Data Access Components.
> --
> False Positives:
> I have noticed false positives with our NFS servers when the payload
> fits the snort rule.

What is the $SQL_SERVERS variable set to?

> Corrective Action:
> Maybe exclude UDP port 2049 (NFS).

This may lead to False negatives.

Nigel Houghton  Research Engineer   Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

More information about the Snort-sigs mailing list