[Snort-sigs] FP: BLEEDING-EDGE MS-SQL DOS bouncing packets / DOS attempt (08)

James Riden j.riden at ...1766...
Fri Mar 11 15:07:36 EST 2005


These will fire on some valid DNS replies where the ephemeral dst port
happens to be 1434/udp. Might be best to swap $HOME_NET to
$SQL_SERVERS if you think you know where your SQL servers
are. However, sadly with MSDE, it can be pretty hard to know which
machines *are* running MS-SQL.

cheers,
 Jamie

alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS bouncing packets"; content:"|0A|"; depth:1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; sid:2000381; rev:1;)

alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS attempt (08)"; content:"|08|"; depth:1; content:!"|3A|"; depth:1; offset:1; dsize:>1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; sid:2000378; rev:1;)


------------------------------------------------------------------------------
#(5 - 115084) [2005-02-12 15:24:32.281] [url/www.nextgenss.com/papers/tp-SQL2000.pdf] [snort/2000381]  BLEEDING-EDGE MS-SQL DOS bouncing packets
IPv4: 130.123.128.32 -> 130.123.144.11
      hlen=5 TOS=0 dlen=142 ID=28407 flags=0 offset=0 TTL=64 chksum=46661
UDP:  port=53 -> dport: 1434 len=122
Payload:  length = 114

000 : 0A 57 81 83 00 01 00 00 00 01 00 00 08 69 74 30   .W...........it0
010 : 30 35 30 35 33 06 69 6E 72 6C 61 62 05 6C 6F 63   05053.inrlab.loc
020 : 61 6C 00 00 01 00 01 00 00 06 00 01 00 00 07 48   al.............H
030 : 00 40 01 41 0C 52 4F 4F 54 2D 53 45 52 56 45 52   . at ...3023...
040 : 53 03 4E 45 54 00 05 4E 53 54 4C 44 0C 56 45 52   S.NET..NSTLD.VER
050 : 49 53 49 47 4E 2D 47 52 53 03 43 4F 4D 00 77 82   ISIGN-GRS.COM.w.
060 : 31 AC 00 00 07 08 00 00 03 84 00 09 3A 80 00 01   1...........:...
070 : 51 80                                             Q.


------------------------------------------------------------------------------
#(5 - 508848) [2005-03-12 06:46:26.783] [url/www.nextgenss.com/papers/tp-SQL2000.pdf] [snort/2000378]  BLEEDING-EDGE MS-SQL DOS attempt (08)
IPv4: 130.123.128.32 -> 130.123.32.254
      hlen=5 TOS=0 dlen=116 ID=15551 flags=0 offset=0 TTL=64 chksum=22437
UDP:  port=53 -> dport: 1434 len=96
Payload:  length = 88

000 : 08 9E 85 83 00 01 00 00 00 01 00 00 08 69 74 30   .............it0
010 : 30 36 31 35 30 06 6D 61 73 73 65 79 02 61 63 02   06150.massey.ac.
020 : 6E 7A 00 00 01 00 01 C0 15 00 06 00 01 00 00 1C   nz..............
030 : 20 00 25 08 74 75 72 2D 6E 65 74 31 C0 15 03 73    .%.tur-net1...s
040 : 6F 61 C0 15 00 14 E3 AF 00 00 1C 20 00 00 01 2C   oa......... ...,
050 : 00 12 75 00 00 00 A8 C0                           ..u.....

-- 
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-sigs mailing list