[Snort-users] Rules update..

Marc Hering mhering at ...13116...
Fri Mar 4 08:14:05 EST 2005


Hey Guys,
Well I am still setting up my very first install of the pig, and so far
it's been an interesting road.  First I had a bum hub that was not
letting traffic flow to the eth1 interface (Hence no data :) )  and now
I am running into some more fun..
 
For some reason, on my test network Snort is generating some alerts that
I wasn't expecting to see..I see occasional SQL-PING attempts. The rule
that gets violated is:
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL ping
attempt"; content:"|02|"; depth:1; reference:nessus,10674;
classtype:misc-activity; sid:2049; rev:4;) 
 
..according to the snort site, this shouldn't ever be a false positive,
but the only machines generating this alert are the machines that either
have SQL server or the MSDE installed.   Should I be worried or just
move on to the next phase :)
 
Thanks in advance!!
Marc
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 3435 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050304/ee9eaa01/attachment.bin>


More information about the Snort-users mailing list