Snort mailing list archives
False +ves for SQL generic sql update injection attempt 13514
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Mon, 28 Apr 2008 16:14:43 +1200
I'm seeing thousands of FP on this rule -- the one below is doing an WSUS update... Russell META SID CID TimeStamp Signature Sig ID 6 13220748 2008-04-28 09:44:11 SQL generic sql update injection attempt 13514 Sensor Hostname Sensor Interface monitor-dmzo.isec.auckland.ac.nz dmz sensor IP Source Address Dest Address Ver Hdr Len TOS length ID flags offset TTL chksum 130.216.187.147 203.167.223.235 4 5 0 235 19559 2 0 126 50598 Resolved Source Resolved Dest h-kang-p.sbs.auckland.ac.nz a203-167-223-235.deploy.akamaitechnologies.com TCP Source Port Dest Port Seq Ack Offset Reserved Flags Window Checksum Urgent Ptr 3022 80 1204654794 925584691 5 0 24 65535 8765 0 Options None Flags RB 1 RB 0 URG ACK PSH RST SYN FIN X X DATA HEAD /v7/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3set up.cab?0804272144 HTTP/1.1..Accept: */*..User-Agent: Windows -Update-Agent..Host: download.windowsupdate.com..Connection: Keep-Alive.... ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False +ves for SQL generic sql update injection attempt 13514 Russell Fulton (Apr 27)