4. Snort not blocking SQL Authentication Failures

Snort not blocking SQL Authentication Failures

  • R

    I'm getting a pile of SQL attackes on my in house SQL Server

    Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 222.221.251.68]

    I have snort's rules setup to block these types of attacks (snort_sql.rules - SQL sa login failed ), but it doesn't seem to be trapping them. Am I missing something?

    0
  • Rebel Alliance Developer Netgate

    Do you even get an alert in snort for that?

    Often, snort is reactionary – meaning it can't block an attack until it has already happened once -- because it's not run inline. Are you seeing repeated attempts from the same IP?

    [Insert lengthy cautionary advice about not exposing your SQL server to the Internet at large, use a VPN and/or IP restrictions, etc, etc]

    0
  • R

    Yeah the attacks come from the same IP over and over and there are zero alerts in snort.  The SQL Server is exposed because I develop outside the local network.  However you are correct…I have got the VPN working now, so maybe I'll close it down and connect via VPN.

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy