×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

SQL 1433 Signature

Unanswered Question
scothrel Wed, 02/27/2002 - 10:32
User Badges:
  • Cisco Employee,

Here is a screen shot of SigWizMenu (custom signature) that will alarm for a

default sa access. Simply matching on 'sa' will not do the trick as there is

null padding on some clients and a match of 'sa' will false positive like

crazy.



Current Signature: Engine STRING.TCP SIGID 20000

SigName: Default sa account access

___________________________________________________________________________


0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength = 160

8 - MinHits = 1

9 - MinMatchLength =

10 - MultipleHits =

11 * RegexString = [Ss][\x00]?[Aa][\x00]?[\x20-\x7f]

12 - ResetAfterIdle = 15

13 - ServicePorts = 1433

14 - SigComment =

15 - SigName = Default sa account access

16 - SigStringInfo =

17 - StripTelnetOptions =

18 - ThrottleInterval = 15

19 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________


Selection>



Actions

This Discussion