[Dshield] SQLSnake snort sig

Johannes Ullrich jullrich at sans.org
Tue May 21 23:48:58 GMT 2002

> #
> alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg: "SQLSnake Probe - Local
> Rule
>  3"; classtype:local-rule-violation; sid:1000002; rev:1;)
> #

I think this is too general. it will flag all mssql traffic (but on the other
hand, if you don't have any that may not matter).

Its probably best to either:
- flag everything on port 1433 as 'MS-SQL' (if you don't run SQL Server)
- only flag packets that contain the empty password SA login attempt.

jullrich at sans.org             Collaborative Intrusion Detection                                               join http://www.dshield.org

More information about the list mailing list