[Snort-sigs] FP: BLEEDING-EDGE MS-SQL DOS bouncing packets / DOS attempt (08)

Matt Jonkman matt at ...2436...
Fri Mar 11 17:21:45 EST 2005


Good idea, thanks. We'll adjust.

So if you're having false issues be sure to define sql_servers. And it 
might be worthwhile to do an nmap sweep for 1434 to be sure you know 
where those are.

Matt

James Riden wrote:
> These will fire on some valid DNS replies where the ephemeral dst port
> happens to be 1434/udp. Might be best to swap $HOME_NET to
> $SQL_SERVERS if you think you know where your SQL servers
> are. However, sadly with MSDE, it can be pretty hard to know which
> machines *are* running MS-SQL.
> 
> cheers,
>  Jamie
> 
> alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS bouncing packets"; content:"|0A|"; depth:1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; sid:2000381; rev:1;)
> 
> alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS attempt (08)"; content:"|08|"; depth:1; content:!"|3A|"; depth:1; offset:1; dsize:>1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; sid:2000378; rev:1;)
> 
> 
> ------------------------------------------------------------------------------
> #(5 - 115084) [2005-02-12 15:24:32.281] [url/www.nextgenss.com/papers/tp-SQL2000.pdf] [snort/2000381]  BLEEDING-EDGE MS-SQL DOS bouncing packets
> IPv4: 130.123.128.32 -> 130.123.144.11
>       hlen=5 TOS=0 dlen=142 ID=28407 flags=0 offset=0 TTL=64 chksum=46661
> UDP:  port=53 -> dport: 1434 len=122
> Payload:  length = 114
> 
> 000 : 0A 57 81 83 00 01 00 00 00 01 00 00 08 69 74 30   .W...........it0
> 010 : 30 35 30 35 33 06 69 6E 72 6C 61 62 05 6C 6F 63   05053.inrlab.loc
> 020 : 61 6C 00 00 01 00 01 00 00 06 00 01 00 00 07 48   al.............H
> 030 : 00 40 01 41 0C 52 4F 4F 54 2D 53 45 52 56 45 52   . at ...3023...
> 040 : 53 03 4E 45 54 00 05 4E 53 54 4C 44 0C 56 45 52   S.NET..NSTLD.VER
> 050 : 49 53 49 47 4E 2D 47 52 53 03 43 4F 4D 00 77 82   ISIGN-GRS.COM.w.
> 060 : 31 AC 00 00 07 08 00 00 03 84 00 09 3A 80 00 01   1...........:...
> 070 : 51 80                                             Q.
> 
> 
> ------------------------------------------------------------------------------
> #(5 - 508848) [2005-03-12 06:46:26.783] [url/www.nextgenss.com/papers/tp-SQL2000.pdf] [snort/2000378]  BLEEDING-EDGE MS-SQL DOS attempt (08)
> IPv4: 130.123.128.32 -> 130.123.32.254
>       hlen=5 TOS=0 dlen=116 ID=15551 flags=0 offset=0 TTL=64 chksum=22437
> UDP:  port=53 -> dport: 1434 len=96
> Payload:  length = 88
> 
> 000 : 08 9E 85 83 00 01 00 00 00 01 00 00 08 69 74 30   .............it0
> 010 : 30 36 31 35 30 06 6D 61 73 73 65 79 02 61 63 02   06150.massey.ac.
> 020 : 6E 7A 00 00 01 00 01 C0 15 00 06 00 01 00 00 1C   nz..............
> 030 : 20 00 25 08 74 75 72 2D 6E 65 74 31 C0 15 03 73    .%.tur-net1...s
> 040 : 6F 61 C0 15 00 14 E3 AF 00 00 1C 20 00 00 01 2C   oa......... ...,
> 050 : 00 12 75 00 00 00 A8 C0                           ..u.....
> 

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list