TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Mark - The signature for the SQL Scans was added a couple of XPU's ago. I see them all day long. You may want to check that the signature is enabled. By default the XPU's do not enable the new signatures that are added - so that you can select which one's apply to your network environment. You don't need a signature enabled that applies only to hacks against Apache Web Servers if you don't run the Apache WEb Server... This goes a long way towards cutting down on the "false" positives. I know I appreciate the capability to choose the (log) or (display) or (both) options for each signature. I have spent hours fine-tuning each sensor individually so that say the sensor on the outside (OUTSIDE) of the firewall will display but not log SQL probes while the INSIDE sensor will both log and Display the same signature. The simple reasoning is that it allows me to log (and react if necessary) if a probe somehow managed to get through the firewall but not have to fill up the logs with failed probes. I can still see the probes from the console display so I am not 'ignoring' the failed attempts - just not logging them unless I wish to follow-up on anything I find interesting. One of the added items in the 6.6 version of the console was that now when you 'inspect' an event you can cut-n-paste the info into notepad or where-ever. So even info not originally logged can be added to a database (of your own devising) as long as it is still active in the display of the console. The default setting of the console is to hold 5000 events which is perfect for my environment but it can be lowered or raised if you so need for yours (RAM is the issue there). Anyways, the rest of that was just stuff that crossed my mind as I put together the first statement: New sigs are not enabled by default - you will need to go to the policy editor; open the policy assigned to the sensor; select the XPU tab; page through and enable/config each new signature that applies to your environment. Have fun. Hank Schupp -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Hayes Sent: Tuesday, September 03, 2002 9:52 PM To: issforum Subject: seeing lots of SQL-Server scans TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- We are seeing a large number of sql server scans (port 1433) but the sensors are not picking it up ? does the ids pick up scans ? extract from our firewall log this morning ... 2002/09/03 14:44:17.542513 211.36.249.149 -> 146.195.30.5 TCP D=1433 S=12555 Syn Seq=240047220 Len=0 Win=16384 2002/09/03 14:44:17.543930 211.36.249.149 -> 146.195.30.7 TCP D=1433 S=12557 Syn Seq=240135344 Len=0 Win=16384 2002/09/03 14:44:17.548244 211.36.249.149 -> 146.195.30.10 TCP D=1433 S=12560 Syn Seq=240291844 Len=0 Win=16384 2002/09/03 14:44:17.552256 211.36.249.149 -> 146.195.30.1 TCP D=1433 S=12551 Syn Seq=239879230 Len=0 Win=16384 2002/09/03 14:44:17.552863 211.36.249.149 -> 146.195.30.12 TCP D=1433 S=12562 Syn Seq=240366083 Len=0 Win=16384 2002/09/03 14:44:17.554616 211.36.249.149 -> 146.195.30.3 TCP D=1433 S=12553 Syn Seq=239969397 Len=0 Win=16384 2002/09/03 14:44:17.558333 211.36.249.149 -> 146.195.30.17 TCP D=1433 S=12567 Syn Seq=240611292 Len=0 Win=16384 2002/09/03 14:44:17.558948 211.36.249.149 -> 146.195.30.9 TCP D=1433 S=12559 Syn Seq=240257460 Len=0 Win=16384
