Re: MS-SQL Probe when listening to streaming radio! ???

[Paul Schmehl <pauls () utdallas edu>]

Here's what that rule is looking for:

On any port of any host designated as a SQL SERVER (in the var in your 
snort.conf file)

content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; 
isdataat:512,relative; content:!"|3B|"; within:512;

Which translates to:

Enqueue followed by ";" between 2 and 512 bytes later followed by another 
";" within 512 bytes of the previous one with data in between the 
semicolons.  Engueuing is the process of putting items in a queue, which is 
frequently used in databases.

Can you post the payload?

If you have sql servers on your network, you should define them in the 
SQL_SERVERS var in snort.conf.  That will eliminate useless alerts like 
this one.

--On Wednesday, March 29, 2006 08:53:46 -0500 Jeffery Gunter 
<jgunter () cbetn com> wrote:

> Hi Folks;
>
> I’m quite new to snort.  I have a user using Win Media Player to listen
> to streaming radio from WIMZ out of Knoxville, TN. My issue is that it is
> causing snort to go crazy. I've received over 100 of the following
> messages:
>
> IDS:S=snort:ID=1:[1:2329:6] MS-SQL probe response overflow attempt
> [Classification: Attempted User Privilege Gain] [Priority: 1]: {UDP}
> 66.250.188.37:2267 -> 10.88.220.65:1215
>
> My user's ip is 65 and when I had her stop accessing the stream the
> messages stopped? What is up with this? I have no SQL services running on
> her computer?
>
> Thanks for your help!
>
> J
>
> Jeffery Gunter  |  Chief Information Officer  |  Citizens Bank of East
> Tennessee  |  http://www.cbetn.com
>
> email:  jgunter () cbetn com
>
> Land:  423-272-2200  x17
>
> Cell:  423-754-5157
>
> Fax:  423-272-2322
>
>   ------_>extPart_001_01C65338.3329CF40--
>
> This e-mail was scanned for viruses.



Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: _bin
Description: