Hi all. I thought that SQL_Login means that somebody has logined SQL server with SQL server authentication. It's really interesting because SQL server by default uses weak encryption and it's no problem to get password from traffic. But today I've found in details of SQL_Login event:
Date/Time 2004-07-20 09:06:09 MSD Tag Name SQL_Login Alert Name SQL_Login Severity Low Observance Type Intrusion Detection Combined Event Count 1 Cleared Flag false Target DNS Name xxx.xxx.xxx Target IP Address x.x.x.x Target Object Name 139 Target Object Type Target Port Source DNS Name qqq.qqq.qqqq Source IP Address w.w.w.w SourcePort Name 1093 Sensor IP Address sss.sss.sss.sss Sensor Name network_sensor_1 :CLIENT WCR30707 :intruder-ip-addr w.w.w.w :intruder-port 1093 :SERVER HQSQL04 :USER YOMokrushina :victim-ip-addr x.x.x.x :victim-port 139 algorithm-id 3000902 AnalyzedBy SecurityFusion FusionVulnStatus Unknown impact (no correlation) Packet DestinationAddress w.w.w.w Packet DestinationPort 1093 Packet SourceAddress x.x.x.x Packet SourcePort 139 Packet SourcePortName netbios-ssn StatusSource none Does this information mean that SQL Server is listening on 139/tcp port? It's delusion. So, the question is what SQL_Login signatue detects? Thank you all. --- Best regards, Sergey V. Soldatov. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
