Snort mailing list archives

Wrong rule's signature for "MS-SQL Worm propagation attempt"

From: Phong Nguyen <nguyen.phong () axone ch>
Date: Wed, 28 Jul 2004 13:09:01 +0000

Hello all,

I'm facing a problem that I cannot resolved by myself. My snort is detecting  
"MS-SQL Worm propagation attempt" alerts but wich are in fact "ICMP Source 
Quench" alerts !!! I'm sure of that because when I look to the alert, it 
shows me a ICMP request (type 4).

Because my firewall is blocking IP address when a "MS-SQL Worm propagation 
attempt" alert is detected, so are some IP address wrongly blocked when they 
sent ICMP Source Quench !! 

Could somebody help me please
Thanks a lot

Phong
 
-- 
Nguyen Phong
Axone Services & Developments
2 crs de Rive
1204 GE/CH



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Wrong rule's signature for "MS-SQL Worm propagation attempt" Phong Nguyen (Jul 28)
- <Possible follow-ups>
- RE: Wrong rule's signature for "MS-SQL Worm propagation attempt" Joshua Berry (Jul 28)