[Dshield] SQLSnake snort sig

Kenneth Williams ken at kwilliams.org
Tue May 21 22:46:35 GMT 2002

Since I do not have any exposed msql servers I can not vouch for wether this
would create false positives on a network with mysql but it shouldn't if no
external net traffic is expected to msql.
I also disclaim any expertise in snort rules but this seems to alert on
SQLSnake correctly. Until a sig appears this works for me.  I added the
following rule to my local.rules.
Ken Williams
ken at kwilliams.org
alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg: "SQLSnake Probe - Local
 3"; classtype:local-rule-violation; sid:1000002; rev:1;)
Ken Williams

More information about the list mailing list