Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Signature Name=MSSQL Resolution Service

What cause this signature to trigger?

I am not using any SQL services with host, scanned host for worm and never accessed this IP from host.

any suggestion?

Event ID=1214348868918579818

Severity Level=3

Device Name=IDSM2CORE1

Receive Time=March 3, 2009 5:08:17 PM IST

Event UTC Time=March 3, 2009 11:42:52 AM UTC

Event Local Time=March 3, 2009 9:42:52 PM UTC

Sig ID=4704

Signature Name=MSSQL Resolution Service Heap Overflow

Subsig ID=0

Sig Details=MSSQL Resolution Service Heap Overflow

Sig Version=S161

Src Address=

Src Port=0

Src Locality=OUT

Dst Address=

Dst Port=0

Dst OS=unknown unknown (unknown)

Dst Locality=OUT

Summary Count=2



Virtual Sensor=vs1


Alarm Details=Regular Summary: 2 events this interval ;

Risk Rating=100 (TVR=high)

Threat Rating=100



Re: Signature Name=MSSQL Resolution Service

Certain network traffic can trigger IPS signatures which use the regular expression feature of the ATOMIC.TCP signature engine which may cause the IOS IPS device to crash. This may cause a denial of service resulting in disruption network traffic. Signature 3123.0 (Netbus Pro Traffic) has been demonstrated to trigger this vulnerability. There is a workaround for this vulnerability.

Cisco Employee

Re: Signature Name=MSSQL Resolution Service

A little history, 4704-0 released in s161, obsoletes 4702-0 and by default is shipped as disabled.

It's a pretty specific signature looking for a x08 byte with a long string that is sent to udp port 1434 which cause heap corruption. This is cve-2002-0649 as exploited by the slammer/sapphire worm.

Some more detail:

So the question that remains is if the host is not infected, what is it sending via udp port 1434 to which appears to be some machine out of Australia (at least thats where a traceroute leads me). Whatever its sending, looks just like slammer/sapphire packets.

New Member

Re: Signature Name=MSSQL Resolution Service

Hi Walter,

Thank you for your reply,

U r right this ip is somewhere in Australia only. There were alerts for other host to some different global IP's. I traced that IP through our proxy server logs, and it shows some of the advertisement link on some web page.

I scanned entire network with removal tool like FixSQLex, f-slammer

Bit confused about this I don't know what action I should take rather than blocking that port on firewall....