[Snort-users] Re: MS-SQL Probe when listening to streaming radio

Nigel Houghton nigel at ...1935...
Wed Mar 29 11:45:14 EST 2006


 0, snort-users-request at lists.sourceforge.net:
> 
> Today's Topics:
> 
>    1. MS-SQL Probe when listening to streaming radio!  ??? (Jeffery Gunter)
 
> --__--__--
> 
> Message: 1
> Date: Wed, 29 Mar 2006 08:53:46 -0500
> From: "Jeffery Gunter" <jgunter at ...13738...>
> To: <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] MS-SQL Probe when listening to streaming radio!  ???
> 
> Hi Folks;=20
> 
> I'm quite new to snort.  I have a user using Win Media Player to listen
> to streaming radio from WIMZ out of Knoxville, TN. My issue is that it
> is causing snort to go crazy. I've received over 100 of the following
> messages:=20
> 
> IDS:S=3Dsnort:ID=3D1:[1:2329:6] MS-SQL probe response overflow attempt
> [Classification: Attempted User Privilege Gain] [Priority: 1]: {UDP}
> 66.250.188.37:2267 -> 10.88.220.65:1215=20
> 
> My user's ip is 65 and when I had her stop accessing the stream the
> messages stopped? What is up with this? I have no SQL services running
> on her computer?=20
> 
> Thanks for your help!

Your first stop when looking at what might be happening is the document
associated with the rule.

You will find the docs both on snort.org[0] and in the doc/signatures
directory of the snort source. (each rule has an associated doc)

In the doc, you should see this:

False Positives:
Since this rule cannot be constrained using ports and the connection
state for MSDAC is not tracked, false positive events may occur under
normal circumstances. The $SQL_SERVERS variable in snort.conf should be
configured correctly to eliminate this behavior.

That might help you out.

[0] http://www.snort.org/pub-bin/sigs.cgi?sid=2329

The docs appear to be slightly out of sync with the latest versions,
apologies, we'll fix that shortly.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.




More information about the Snort-users mailing list