[Snort-users] False +ves for SQL generic sql update injection attempt 13514

Russell Fulton r.fulton at ...3809...
Mon Apr 28 00:14:43 EDT 2008


I'm seeing thousands of FP on this rule -- the one below is doing an  
WSUS update...

Russell

META	
SID	CID	TimeStamp	Signature	Sig ID
6	13220748	2008-04-28 09:44:11	SQL generic sql update injection  
attempt	13514
Sensor Hostname	Sensor Interface
monitor-dmzo.isec.auckland.ac.nz	dmz sensor
IP	
Source Address	Dest Address	Ver	Hdr Len	TOS	length	ID	flags	offset	TTL	 
chksum
130.216.187.147	203.167.223.235	4	5	0	235	19559	2	0	126	50598
Resolved Source	Resolved Dest
h-kang-p.sbs.auckland.ac.nz 	 
a203-167-223-235.deploy.akamaitechnologies.com
TCP	
Source Port	Dest Port	Seq	Ack	Offset	Reserved	Flags	Window	Checksum	 
Urgent Ptr
3022	80	1204654794	925584691	5	0	24	65535	8765	0
Options
None
Flags
RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
			X 	X 			


DATA	

HEAD /v7/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3set
up.cab?0804272144 HTTP/1.1..Accept: */*..User-Agent: Windows
-Update-Agent..Host: download.windowsupdate.com..Connection:
  Keep-Alive....




More information about the Snort-users mailing list