[Snort-users] MS-SQL Probe when listening to streaming radio! ???

Andrew andrewwilly at ...11827...
Wed Mar 29 08:09:15 EST 2006


Jeffery Gunter wrote:
>
> Hi Folks;
>
> I’m quite new to snort. I have a user using Win Media Player to listen 
> to streaming radio from WIMZ out of Knoxville, TN. My issue is that it 
> is causing snort to go crazy. I've received over 100 of the following 
> messages:
>
> *IDS:S=snort:ID=1:[1:2329:6] MS-SQL probe response overflow attempt 
> [Classification: Attempted User Privilege Gain] [Priority: 1]: {UDP} 
> 66.250.188.37:2267 -> 10.88.220.65:1215*
>
> My user's ip is 65 and when I had her stop accessing the stream the 
> messages stopped? What is up with this? I have no SQL services running 
> on her computer?
>
> Thanks for your help!
>
> J
>
> Jeffery Gunter | Chief Information Officer | Citizens Bank of East 
> Tennessee | http://www.cbetn.com <BLOCKED::http://www.cbetn.com/>
>
> email: jgunter at ...13738... <BLOCKED::mailto:jgunter at ...13738...>
>
> Land: 423-272-2200 x17
>
> Cell: 423-754-5157
>
> Fax: 423-272-2322
>
> ------_>extPart_001_01C65338.3329CF40--
>
> This e-mail was scanned for viruses. 
The exploit the alert refers to can target MDAC.

The rule has known false positives from certain games. It is possible 
that some of the streaming traffic from this radio site triggers the 
alert. Verify that the source IP belongs to the radio site and check the 
contents of the offending packet.

You may also configure the $SQL_SERVERS variable to correct this if the 
traffic is determined to be legitimate.

For more information : http://www.snort.org/pub-bin/sigs.cgi?sid=2329

Andrew

p.s. It is a nice administrator that permits staff listen to Internet 
radio at work. =)




More information about the Snort-users mailing list