[Snort-sigs] FP on 2329

Nigel Houghton nigel at ...435...
Fri Jul 21 17:30:21 EDT 2006


On  0, trains at ...2395... wrote:
> 
> Destination port should be "1434", not "any"
> 
> tc

>From the document for the rule:

 False Positives:
 Since this rule cannot be constrained using ports and the connection
 state for MSDAC is not tracked, false positive events may occur under
 normal circumstances. The $SQL_SERVERS variable in snort.conf should be
 configured correctly to eliminate this behavior.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.




More information about the Snort-sigs mailing list