[Snort-users] Problem detecting MS-SQL sa login failures?
anton_christian at ...131...
Thu May 6 15:56:02 EDT 2004
As a test, an outsider ran an "sa" password cracking program against our MS-SQL
Our RealSecure Network Sensor (v7) successfully detected and reported the
attacks as "SQL_Auth_Failed" events.
Alas, our Snort 2.1.1 sensor apparently did not detect this attack. I was
expecting to see "MS-SQL sa login failed" alerts in the log but none were
generated. The rule is enabled:
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed";
content: "Login failed for user |27|sa|27|"; flow:from_server,established;
classtype:unsuccessful-user; sid:688; rev:4;)
$SQL_SERVERS includes our SQL server.
Our Snort sensor monitors the same external segment as the RealSecure box, and
mostly, the alerts from the two boxes correlate.
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
More information about the Snort-users