[Snort-users] Rules update..
mhering at ...13116...
Fri Mar 4 08:14:05 EST 2005
Well I am still setting up my very first install of the pig, and so far
it's been an interesting road. First I had a bum hub that was not
letting traffic flow to the eth1 interface (Hence no data :) ) and now
I am running into some more fun..
For some reason, on my test network Snort is generating some alerts that
I wasn't expecting to see..I see occasional SQL-PING attempts. The rule
that gets violated is:
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL ping
attempt"; content:"|02|"; depth:1; reference:nessus,10674;
classtype:misc-activity; sid:2049; rev:4;)
..according to the snort site, this shouldn't ever be a false positive,
but the only machines generating this alert are the machines that either
have SQL server or the MSDE installed. Should I be worried or just
move on to the next phase :)
Thanks in advance!!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3435 bytes
Desc: not available
More information about the Snort-users