MS-SQL Worm propagation -false positive

[Natalie Keller <nrkeller () hns com>]

Over a 5 minute interval Snort captured more than 500 scans with the 
classic signature for MS-SQL Worm propagation:

38>snort: [1:2003:2] MS-SQL Worm propagation attempt [Classification: 
Misc Attack] [Priority: 2]: {UDP} xxx.xx.x.xx:1105 -> <many random 
ipaddrs>:1434

The originating ip belonged to a laptop running XP with all up-to-date 
connected to the network over VPN 3-DES tunnel. The laptop was brought 
to IT for cleaning. The laptop was found to be  up-to-date with all 
patches/service packs. The drive was scanned with Norton Anti-virus with 
all current signatures and came up clean. The laptop has been back on 
the network for 2 days with no further incidents. This would appear to 
be a false positive. Is there any other steps that could have been taken 
to track down and account for the original cause for this incident? 
Suggestions welcome.

Thanks.




-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users