Signature Name=MSSQL Resolution Service

Unanswered Question
Mar 3rd, 2009

What cause this signature to trigger?

I am not using any SQL services with host 172.19.107.55, scanned host for worm and never accessed this IP 203.161.77.136 from host.

any suggestion?

Event ID=1214348868918579818

Severity Level=3

Device Name=IDSM2CORE1

Receive Time=March 3, 2009 5:08:17 PM IST

Event UTC Time=March 3, 2009 11:42:52 AM UTC

Event Local Time=March 3, 2009 9:42:52 PM UTC

Sig ID=4704

Signature Name=MSSQL Resolution Service Heap Overflow

Subsig ID=0

Sig Details=MSSQL Resolution Service Heap Overflow

Sig Version=S161

Src Address=172.19.107.55

Src Port=0

Src Locality=OUT

Dst Address=203.161.77.136

Dst Port=0

Dst OS=unknown unknown (unknown)

Dst Locality=OUT

Summary Count=2

Interface=ge0_7

VLAN ID=25

Virtual Sensor=vs1

Actions=

Alarm Details=Regular Summary: 2 events this interval ;

Risk Rating=100 (TVR=high)

Threat Rating=100

Protocol=udp

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Mon, 03/09/2009 - 15:00

Certain network traffic can trigger IPS signatures which use the regular expression feature of the ATOMIC.TCP signature engine which may cause the IOS IPS device to crash. This may cause a denial of service resulting in disruption network traffic. Signature 3123.0 (Netbus Pro Traffic) has been demonstrated to trigger this vulnerability. There is a workaround for this vulnerability.

wsulym Tue, 03/10/2009 - 06:51

A little history, 4704-0 released in s161, obsoletes 4702-0 and by default is shipped as disabled.

It's a pretty specific signature looking for a x08 byte with a long string that is sent to udp port 1434 which cause heap corruption. This is cve-2002-0649 as exploited by the slammer/sapphire worm.

Some more detail:

http://tools.cisco.com/security/center/viewAlert.x?alertId=4256

http://tools.cisco.com/security/center/viewAlert.x?alertId=5358

So the question that remains is if the host is not infected, what is it sending via udp port 1434 to 203.161.77.136 which appears to be some machine out of Australia (at least thats where a traceroute leads me). Whatever its sending, looks just like slammer/sapphire packets.

dinesh.das Thu, 03/12/2009 - 21:43

Hi Walter,

Thank you for your reply,

U r right this ip is somewhere in Australia only. There were alerts for other host to some different global IP's. I traced that IP through our proxy server logs, and it shows some of the advertisement link on some web page.

I scanned entire network with removal tool like FixSQLex, f-slammer

Bit confused about this I don't know what action I should take rather than blocking that port on firewall....

Dinesh

Actions

This Discussion