Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
0
Helpful
1
Replies

SQL 1433 Signature

mklotzba
Cisco Employee
Cisco Employee

‎02-27-2002 09:50 AM - edited ‎03-08-2019 09:56 PM

Are we working on a signature for identifying the

SQL 1433 concern?

http://www.kb.cert.org/vuls/id/635463

If so, when do we expect it to be out?

Cheers,

Mklotzba@cisco.com

Labels:
0 Helpful
1 Reply 1

scothrel
Level 3
Level 3

‎02-27-2002 10:32 AM

Here is a screen shot of SigWizMenu (custom signature) that will alarm for a

default sa access. Simply matching on 'sa' will not do the trick as there is

null padding on some clients and a match of 'sa' will false positive like

crazy.

Current Signature: Engine STRING.TCP SIGID 20000

SigName: Default sa account access

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength = 160

8 - MinHits = 1

9 - MinMatchLength =

10 - MultipleHits =

11 * RegexString = [Ss][\x00]?[Aa][\x00]?[\x20-\x7f]

12 - ResetAfterIdle = 15

13 - ServicePorts = 1433

14 - SigComment =

15 - SigName = Default sa account access

16 - SigStringInfo =

17 - StripTelnetOptions =

18 - ThrottleInterval = 15

19 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

Selection>

0 Helpful
Customers Also Viewed These Support Documents