Problem detecting MS-SQL sa login failures?

[Anton Christian <anton_christian () yahoo com>]

As a test, an outsider ran an "sa" password cracking program against our MS-SQL
server.

Our RealSecure Network Sensor (v7) successfully detected and reported the
attacks as "SQL_Auth_Failed" events.

Alas, our Snort 2.1.1 sensor apparently did not detect this attack.  I was
expecting to see "MS-SQL sa login failed" alerts in the log but none were
generated.  The rule is enabled:

alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed";
content: "Login failed for user |27|sa|27|"; flow:from_server,established;
classtype:unsuccessful-user; sid:688; rev:4;)

$SQL_SERVERS includes our SQL server.

Our Snort sensor monitors the same external segment as the RealSecure box, and
mostly, the alerts from the two boxes correlate.



        
                
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 


-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users