Rules update..

["Marc Hering" <mhering () reval com>]

Hey Guys,
Well I am still setting up my very first install of the pig, and so far
it's been an interesting road.  First I had a bum hub that was not
letting traffic flow to the eth1 interface (Hence no data :) )  and now
I am running into some more fun..
 
For some reason, on my test network Snort is generating some alerts that
I wasn't expecting to see..I see occasional SQL-PING attempts. The rule
that gets violated is:
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL ping
attempt"; content:"|02|"; depth:1; reference:nessus,10674;
classtype:misc-activity; sid:2049; rev:4;) 
 
..according to the snort site, this shouldn't ever be a false positive,
but the only machines generating this alert are the machines that either
have SQL server or the MSDE installed.   Should I be worried or just
move on to the next phase :)
 
Thanks in advance!!
Marc

<<winmail.dat>>