Snort mailing list archives

RE: MS-SQL Worm propagation -false positive

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Thu, 8 Jan 2004 22:00:05 -0500

This worm is only memory resident. When the laptop was rebooted or powered
off the worm would have disappeared. Also I have heard that that the worm
spoofs source IP addresses (although I have not personally seen this
activity on my network).

vjl

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Natalie Keller
Sent: Thursday, January 08, 2004 1:00 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] MS-SQL Worm propagation -false positive

Over a 5 minute interval Snort captured more than 500 scans with the 
classic signature for MS-SQL Worm propagation:

38>snort: [1:2003:2] MS-SQL Worm propagation attempt [Classification: 
Misc Attack] [Priority: 2]: {UDP} xxx.xx.x.xx:1105 -> <many random 
ipaddrs>:1434

The originating ip belonged to a laptop running XP with all up-to-date 
connected to the network over VPN 3-DES tunnel. The laptop was brought 
to IT for cleaning. The laptop was found to be  up-to-date with all 
patches/service packs. The drive was scanned with Norton Anti-virus with 
all current signatures and came up clean. The laptop has been back on 
the network for 2 days with no further incidents. This would appear to 
be a false positive. Is there any other steps that could have been taken 
to track down and account for the original cause for this incident? 
Suggestions welcome.

Thanks.




-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

MS-SQL Worm propagation -false positive Natalie Keller (Jan 08)
- Re: MS-SQL Worm propagation -false positive Martin Olsson (Jan 09)
- <Possible follow-ups>
- RE: MS-SQL Worm propagation -false positive larosa, vjay (Jan 08)