Snort mailing list archives
Problem detecting MS-SQL sa login failures?
From: Anton Christian <anton_christian () yahoo com>
Date: Thu, 6 May 2004 15:54:20 -0700 (PDT)
As a test, an outsider ran an "sa" password cracking program against our MS-SQL server. Our RealSecure Network Sensor (v7) successfully detected and reported the attacks as "SQL_Auth_Failed" events. Alas, our Snort 2.1.1 sensor apparently did not detect this attack. I was expecting to see "MS-SQL sa login failed" alerts in the log but none were generated. The rule is enabled: alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed"; content: "Login failed for user |27|sa|27|"; flow:from_server,established; classtype:unsuccessful-user; sid:688; rev:4;) $SQL_SERVERS includes our SQL server. Our Snort sensor monitors the same external segment as the RealSecure box, and mostly, the alerts from the two boxes correlate. __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem detecting MS-SQL sa login failures? Anton Christian (May 06)
- Re: Problem detecting MS-SQL sa login failures? Brian (May 06)