Snort mailing list archives
Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt]
From: John via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 19 Dec 2023 18:07:19 +0000
I did not create a capture. It has been a long time since I used tcpdump. Is this the correct way to grab some traffic? Assuming the target IP is 10.9.5.106: tcpdump -i eth0 host 10.9.5.106 -w /tmp/capture On Tuesday, December 19th, 2023 at 12:23 PM, Al Lewis (allewi) <allewi () cisco com> wrote:
Do you have a pcap of the traffic that you can share?
Albert Lewis
Email: allewi () cisco comĀ
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of John via Snort-sigs <snort-sigs () lists snort
org>
Sent: Tuesday, December 19, 2023 7:57 AM
To: snort-sigs () lists snort org <snort-sigs () lists snort org>
Subject: [Snort-sigs] Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt]
When in a zoom meeting, snort is dropping hundreds of thousands packets which are getting flagged as:
"SERVER-MSSQL probe response overflow attempt" [**] [Classification: Attempted User Privilege Gain] [Priority: 1]
{UDP} 206.247.41.152:8801 -> 10.1.2.202:60966
Is this a false positive?
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] John via Snort-sigs (Dec 19)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Al Lewis (allewi) via Snort-sigs (Dec 19)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] John via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Al Lewis (allewi) via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Al Lewis (allewi) via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Joel Esler via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] John via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] John via Snort-sigs (Dec 20)
- Re: Zoom meeting causes many [SERVER-MSSQL probe response overflow attempt] Al Lewis (allewi) via Snort-sigs (Dec 19)