Snort mailing list archives
Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt]
From: John via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 20 Dec 2023 21:08:52 +0000
Solid advice. I will just exclude snort3-server-mysql.rules and snort3-server-mssql.rules On Wednesday, December 20th, 2023 at 1:51 PM, Joel Esler <eslerj () gmail com> wrote:
Easy fix for this should be to set the sql_servers variable. Also if you aren’t running sql_servers, turn the rule off. This vulnerability is from 2003. If you’re running internet facing 20 year old software, you have more problems than capturing packets. — Sent from my iPhoneOn Dec 20, 2023, at 10:26, Al Lewis (allewi) via Snort-sigs <snort-sigs () lists snort org> wrote: alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"SERVER-MSSQL probe response overflow attempt"; flow:to_server; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9407; reference:cve,2003-0903; reference:nessus,11990; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-003; classtype:attempted-user; sid:2329; rev:15; gid:1; ) Thats the rule.. so you may need to set your variables correctly. Albert Lewis Email: allewi () cisco com --------------------------------------------------------------- From: Al Lewis (allewi) <allewi () cisco com> Sent: Wednesday, December 20, 2023 10:03 AM To: John <therealgraysky () proton me> Cc: snort-sigs () lists snort org <snort-sigs () lists snort org> Subject: Re: [Snort-sigs] Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] That would grab all traffic from the host. You should be able to filter it down to only the traffic that is triggering the event. Then use that to replay back into snort and check your rules/configuration. The ports listed below aren't the defaults for MSSQL. Albert Lewis Email: allewi () cisco com --------------------------------------------------------------- From: John <therealgraysky () proton me> Sent: Tuesday, December 19, 2023 1:07 PM To: Al Lewis (allewi) <allewi () cisco com> Cc: snort-sigs () lists snort org <snort-sigs () lists snort org> Subject: Re: [Snort-sigs] Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] I did not create a capture. It has been a long time since I used tcpdump. Is this the correct way to grab some traffic? Assuming the target IP is 10.9.5.106: tcpdump -i eth0 host 10.9.5.106 -w /tmp/capture On Tuesday, December 19th, 2023 at 12:23 PM, Al Lewis (allewi) <allewi () cisco com> wrote:Do you have a pcap of the traffic that you can share? Albert Lewis Email: allewi () cisco com From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of John via Snort-sigs <snort-sigs () lists snort org> Sent: Tuesday, December 19, 2023 7:57 AM To: snort-sigs () lists snort org <snort-sigs () lists snort org> Subject: [Snort-sigs] Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] When in a zoom meeting, snort is dropping hundreds of thousands packets which are getting flagged as: "SERVER-MSSQL probe response overflow attempt" [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 206.247.41.152:8801 -> 10.1.2.202:60966 Is this a false positive? _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! _______________________________________________Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] John via Snort-sigs (Dec 19)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Al Lewis (allewi) via Snort-sigs (Dec 19)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] John via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Al Lewis (allewi) via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Al Lewis (allewi) via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Joel Esler via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] John via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] John via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Al Lewis (allewi) via Snort-sigs (Dec 19)