<div dir="ltr"><br><div class="gmail_quote"><div dir="ltr"><div><span lang="en"><span>I UseĀ </span></span> UML virtual machines <span lang="en"><span>and i want to</span> <span>trigger alerts when</span></span> connect to<i> mysql</i> in <i>extc</i> with user root:</div>

<div style="text-align:left">
</div><div style="text-align:left"><br>root@...16846...:~# mysql -u root -h extc -p<br><br>and then:<br>mysql> show databases;

<br><br><span lang="en"><span>Are asked</span> <span>to analyze the</span> <span>network traffic between</span> <span>extb</span> <span>and</span> extc<span>,</span> <span>and relate</span> <span>the</span> <span>following</span> <span>snort</span> <span>rules</span><span>:</span></span><br>


<span lang="en"><span></span></span><br></div><div><div>
<p><tt>alert tcp $EXTERNAL_NET any <span>-></span> $SQL_SERVERS 3306 <span>(msg:"MYSQL</span> root login attempt"; flow:to_server,established; <span>content:"|0A</span> 00 00 01 85 04 00 00 <span>80|root|00|";</span> <span>classtype:protocol-command-decode;</span> sid:1775; rev:2;)</tt></p>



<p><tt>alert tcp $EXTERNAL_NET any <span>-></span> $SQL_SERVERS 3306 <span>(msg:"MYSQL</span> show databases attempt"; flow:to_server,established; <span>content:"|0F</span> 00 00 00 03|show databases"; <span>classtype:protocol-command-decode;</span> sid:1776; rev:2;)</tt></p>



<br><b><span lang="en"><span>Why the first rule</span> <span>is not activated</span> <span>when you run</span> <span>"mysql</span><span> -u</span> <span>root </span><span>-h extc -p</span><span></span><span></span><span>"</span> <span>i</span><span></span> <span>and instead</span><span>,</span> <span>the second one</span> <span>is set</span> <span>to</span> <span>run "</span><span>show databases</span><span>;</span><span>"</span><span>.</span></span></b><span lang="en"><span><br>

<br><br><br></span></span></div></div>
<span lang="en"><span>Thanks a lot.</span></span></div>
</div><br></div>