Snort mailing list archives
MS-SQL Worm propagation -false positive
From: Natalie Keller <nrkeller () hns com>
Date: Thu, 08 Jan 2004 13:00:09 -0500
Over a 5 minute interval Snort captured more than 500 scans with the classic signature for MS-SQL Worm propagation:
38>snort: [1:2003:2] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} xxx.xx.x.xx:1105 -> <many random ipaddrs>:1434
The originating ip belonged to a laptop running XP with all up-to-date connected to the network over VPN 3-DES tunnel. The laptop was brought to IT for cleaning. The laptop was found to be up-to-date with all patches/service packs. The drive was scanned with Norton Anti-virus with all current signatures and came up clean. The laptop has been back on the network for 2 days with no further incidents. This would appear to be a false positive. Is there any other steps that could have been taken to track down and account for the original cause for this incident? Suggestions welcome.
Thanks. ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MS-SQL Worm propagation -false positive Natalie Keller (Jan 08)
- Re: MS-SQL Worm propagation -false positive Martin Olsson (Jan 09)
- <Possible follow-ups>
- RE: MS-SQL Worm propagation -false positive larosa, vjay (Jan 08)