RE: [Snort-users] MS-SQL Worm propagation -false positive
This is a discussion on RE: [Snort-users] MS-SQL Worm propagation -false positive within the Snort forums, part of the System Security and Security Related category; This worm is only memory resident. When the laptop was rebooted or powered off the worm would have disappeared. Also ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-09-2004
|
|||
|
|||
RE: [Snort-users] MS-SQL Worm propagation -false positive
This worm is only memory resident. When the laptop was rebooted or powered
off the worm would have disappeared. Also I have heard that that the worm spoofs source IP addresses (although I have not personally seen this activity on my network). vjl -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Natalie Keller Sent: Thursday, January 08, 2004 1:00 PM To: snort-users@lists.sourceforge.net Subject: [Snort-users] MS-SQL Worm propagation -false positive Over a 5 minute interval Snort captured more than 500 scans with the classic signature for MS-SQL Worm propagation: 38>snort: [1:2003:2] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} xxx.xx.x.xx:1105 -> <many random ipaddrs>:1434 The originating ip belonged to a laptop running XP with all up-to-date connected to the network over VPN 3-DES tunnel. The laptop was brought to IT for cleaning. The laptop was found to be up-to-date with all patches/service packs. The drive was scanned with Norton Anti-virus with all current signatures and came up clean. The laptop has been back on the network for 2 days with no further incidents. This would appear to be a false positive. Is there any other steps that could have been taken to track down and account for the original cause for this incident? Suggestions welcome. Thanks. ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
