Snort mailing list archives
Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt]
From: "Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Wed, 20 Dec 2023 15:03:39 +0000
That would grab all traffic from the host. You should be able to filter it down to only the traffic that is triggering the event. Then use that to replay back into snort and check your rules/configuration. The ports listed below aren't the defaults for MSSQL. Albert Lewis Email: allewi () cisco com<mailto:allewi () cisco com> ________________________________ From: John <therealgraysky () proton me> Sent: Tuesday, December 19, 2023 1:07 PM To: Al Lewis (allewi) <allewi () cisco com> Cc: snort-sigs () lists snort org <snort-sigs () lists snort org> Subject: Re: [Snort-sigs] Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] I did not create a capture. It has been a long time since I used tcpdump. Is this the correct way to grab some traffic? Assuming the target IP is 10.9.5.106: tcpdump -i eth0 host 10.9.5.106 -w /tmp/capture On Tuesday, December 19th, 2023 at 12:23 PM, Al Lewis (allewi) <allewi () cisco com> wrote:
Do you have a pcap of the traffic that you can share? Albert Lewis Email: allewi () cisco com From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of John via Snort-sigs <snort-sigs () lists snort org> Sent: Tuesday, December 19, 2023 7:57 AM To: snort-sigs () lists snort org <snort-sigs () lists snort org> Subject: [Snort-sigs] Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] When in a zoom meeting, snort is dropping hundreds of thousands packets which are getting flagged as: "SERVER-MSSQL probe response overflow attempt" [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 206.247.41.152:8801 -> 10.1.2.202:60966 Is this a false positive? _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] John via Snort-sigs (Dec 19)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Al Lewis (allewi) via Snort-sigs (Dec 19)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] John via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Al Lewis (allewi) via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Al Lewis (allewi) via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Joel Esler via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] John via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] John via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Al Lewis (allewi) via Snort-sigs (Dec 19)