[Snort-sigs] MSSQL False Neg
Bill Scherr IV
bschnzl at ...3374...
Tue Dec 1 21:37:51 EST 2009
>From a # snort -c <file> -T 2>&1 | less
gen-id=1 _ sig-id=3543 _ type=Threshold _ tracking=src _ count=5 _ seconds=2
So the thresholding is set. That seems a bit tight. This guy passes one packet every 2.25 seconds.
IMHO, that passes for a brute force attempt. Granted this service should not be subjected to one of
these attacks, but 2 to 3 attempts per second is kind of heavy.
I shifted the threshold to 1800 seconds on my sensors.
Thanks for your very well explained effort.
Circa 19:14, 1 Dec 2009, a note, claiming source Matt Olney <molney at ...435...>, was sent to
Date sent: Tue, 1 Dec 2009 19:14:57 -0500
Subject: Re: [Snort-sigs] MSSQL False Neg
From: Matt Olney <molney at ...435...>
To: Nigel Houghton <nhoughton at ...435...>
Copies to: bschnzl at ...3374..., snort-sigs at lists.sourceforge.net
> The rule seems to be correct, I'm thinking there is a thresholding
> issue somewhere. Looking at it, it looks like it should alert if you
> see 5 packets in a 2 second period that match this rule. If you want
> to check the non-thresholding portion of the rule, try the following
> local rule:
Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr at ...3384...
bscherr at ...3385...
More information about the Snort-sigs