688.txt

This is the snapshot of Snot Latest Rules

Rule:  

--
Sid: 
688

-- 

Summary: 
This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system.

-- 
Impact: 
Serious. An attacker may have gained administrator access to the system.

--
Detailed Information:
This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. In particular, this event is generated when a failed login as the "sa" user is detected. This may indicate an attempt to access the database as the "sa" user. Multiple events may indicate attempts to gain access via brute force password guessing techniques.

Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
 
This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 

--

Attack Scenarios: 
Simple. These are SQL database commands.

-- 

Ease of Attack: 
Simple.

-- 

False Positives: 
This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.

--
False Negatives:
None Known

-- 

Corrective Action: 
Disallow direct access to the SQL server from sources external to the protected network.

Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise

Look for other events generated by the same IP addresses.

--
Contributors: 
Original Rule Writer Unknown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

OSVDB:
http://www.osvdb.org/15757

--