[Snort-users] Problem detecting MS-SQL sa login failures?

Anton Christian anton_christian at ...131...
Thu May 6 15:56:02 EDT 2004

As a test, an outsider ran an "sa" password cracking program against our MS-SQL

Our RealSecure Network Sensor (v7) successfully detected and reported the
attacks as "SQL_Auth_Failed" events.

Alas, our Snort 2.1.1 sensor apparently did not detect this attack.  I was
expecting to see "MS-SQL sa login failed" alerts in the log but none were
generated.  The rule is enabled:

alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed";
content: "Login failed for user |27|sa|27|"; flow:from_server,established;
classtype:unsuccessful-user; sid:688; rev:4;)

$SQL_SERVERS includes our SQL server.

Our Snort sensor monitors the same external segment as the RealSecure box, and
mostly, the alerts from the two boxes correlate.

Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  

More information about the Snort-users mailing list