[Snort-users] MS-SQL Probe when listening to streaming radio! ???

Joel Esler joel.esler at ...1935...
Wed Mar 29 07:15:08 EST 2006


Better then commenting the rule out, can you file a false positive  
report?

Joel


On Mar 29, 2006, at 10:07 AM, Briggs, Bruce wrote:

> In your snort.conf, the default value for your SQL servers is:
>     var SQL_SERVERS $HOME_NET
>
> Replace $HOME_NET with the actual IP addrs of any internal SQL  
> servers.
>
> Or comment out the alert for SID 2329 in sql.rules.
>
> Then you won't see these false positives any more.
>
> Many use Oinkmaster to manage commented out alerts across Snort  
> signature updates.
>
> Bruce
>
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users- 
> admin at lists.sourceforge.net] On Behalf Of Jeffery Gunter
> Sent: Wednesday, March 29, 2006 8:54 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] MS-SQL Probe when listening to streaming  
> radio! ???
>
> Hi Folks;
>
> I’m quite new to snort.  I have a user using Win Media Player to  
> listen to streaming radio from WIMZ out of Knoxville, TN. My issue  
> is that it is causing snort to go crazy. I've received over 100 of  
> the following messages:
>
> IDS:S=snort:ID=1:[1:2329:6] MS-SQL probe response overflow attempt  
> [Classification: Attempted User Privilege Gain] [Priority: 1]:  
> {UDP} 66.250.188.37:2267 -> 10.88.220.65:1215
>
> My user's ip is 65 and when I had her stop accessing the stream the  
> messages stopped? What is up with this? I have no SQL services  
> running on her computer?
>
> Thanks for your help!
>
> J
>
> Jeffery Gunter  |  Chief Information Officer  |  Citizens Bank of  
> East Tennessee  | http://www.cbetn.com
>
> email:  jgunter at ...13738...
>
> Land:  423-272-2200  x17
>
> Cell:  423-754-5157
>
> Fax:  423-272-2322
>
>
>
> ------_>extPart_001_01C65338.3329CF40--
>
> This e-mail was scanned for viruses.





More information about the Snort-users mailing list