[Snort-users] Wrong rule's signature for "MS-SQL Worm propagation attempt"

Phong Nguyen nguyen.phong at ...12197...
Wed Jul 28 06:10:05 EDT 2004


Hello all,

I'm facing a problem that I cannot resolved by myself. My snort is detecting  
"MS-SQL Worm propagation attempt" alerts but wich are in fact "ICMP Source 
Quench" alerts !!! I'm sure of that because when I look to the alert, it 
shows me a ICMP request (type 4).

Because my firewall is blocking IP address when a "MS-SQL Worm propagation 
attempt" alert is detected, so are some IP address wrongly blocked when they 
sent ICMP Source Quench !! 

Could somebody help me please
Thanks a lot

Phong
 
-- 
Nguyen Phong
Axone Services & Developments
2 crs de Rive
1204 GE/CH





More information about the Snort-users mailing list