[Snort-users] Re: MS-SQL Probe when listening to streaming radio

Nigel Houghton nigel at ...1935...
Wed Mar 29 11:45:14 EST 2006

 0, snort-users-request at lists.sourceforge.net:
> Today's Topics:
>    1. MS-SQL Probe when listening to streaming radio!  ??? (Jeffery Gunter)
> --__--__--
> Message: 1
> Date: Wed, 29 Mar 2006 08:53:46 -0500
> From: "Jeffery Gunter" <jgunter at ...13738...>
> To: <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] MS-SQL Probe when listening to streaming radio!  ???
> Hi Folks;=20
> I'm quite new to snort.  I have a user using Win Media Player to listen
> to streaming radio from WIMZ out of Knoxville, TN. My issue is that it
> is causing snort to go crazy. I've received over 100 of the following
> messages:=20
> IDS:S=3Dsnort:ID=3D1:[1:2329:6] MS-SQL probe response overflow attempt
> [Classification: Attempted User Privilege Gain] [Priority: 1]: {UDP}
> ->
> My user's ip is 65 and when I had her stop accessing the stream the
> messages stopped? What is up with this? I have no SQL services running
> on her computer?=20
> Thanks for your help!

Your first stop when looking at what might be happening is the document
associated with the rule.

You will find the docs both on snort.org[0] and in the doc/signatures
directory of the snort source. (each rule has an associated doc)

In the doc, you should see this:

False Positives:
Since this rule cannot be constrained using ports and the connection
state for MSDAC is not tracked, false positive events may occur under
normal circumstances. The $SQL_SERVERS variable in snort.conf should be
configured correctly to eliminate this behavior.

That might help you out.

[0] http://www.snort.org/pub-bin/sigs.cgi?sid=2329

The docs appear to be slightly out of sync with the latest versions,
apologies, we'll fix that shortly.

     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.

More information about the Snort-users mailing list