[Snort-users] Fwd: Problem whit snort alert 1775

pepa gir pepetabet at ...11827...
Tue May 13 17:40:42 EDT 2014


I Use  UML virtual machines and i want to trigger alerts when connect to*
mysql* in *extc* with user root:

root at ...16846...:~# mysql -u root -h extc -p

and then:
mysql> show databases;

Are asked to analyze the network traffic between extb and extc, and relate
the following snort rules:

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login
attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00
80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases
attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show
databases"; classtype:protocol-command-decode; sid:1776; rev:2;)

*Why the first rule is not activated when you run "mysql -u root -h extc
-p" i and instead, the second one is set to run "show databases;".*



Thanks a lot.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140513/4df4dbc5/attachment.html>


More information about the Snort-users mailing list