[Snort-sigs] Snort SIG update - false positives on SID 2329

From: Dr. Christoph Wegener <wegener(at)wecon.net>
Date: Fri Mar 26 2004 - 03:57:50 EST

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3b|"; distance:0; isdataat:512,relative; content:!"|3b|"; within:512; reference:cve,CAN-2003-0903; reference:bugtraq,9407; reference:url,www.microsoft.com/technet/ security/bulletin/MS04-003.asp; classtype:attempted-user; sid:2329; rev:2;)
--

Sid:
2329
--

Summary:
This event is generated when an attempt is made to exploit a known vulnerability in Microsoft Windows Data Access Components.
--

Impact:

--

Detailed Information:

--

Affected Systems:

--

Attack Scenarios:

--

Ease of Attack:

--

False Positives:
I have noticed false positives with our NFS servers when the payload fits the snort rule.
--

False Negatives:

--

Corrective Action:
Maybe exclude UDP port 2049 (NFS).
--

Contributors:

--

Additional References:

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&opick

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Mon Mar 29 09:01:40 2004