Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort not blocking SQL Authentication Failures

    Scheduled Pinned Locked Moved
    General pfSense Questions
    2
    3
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rockinthesixstring
      last edited by

      I'm getting a pile of SQL attackes on my in house SQL Server

      Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 222.221.251.68]

      I have snort's rules setup to block these types of attacks (snort_sql.rules - SQL sa login failed ), but it doesn't seem to be trapping them. Am I missing something?

      Chase
      Link Removed
      PFSense 2.0.1 - RELEASE

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Do you even get an alert in snort for that?

        Often, snort is reactionary – meaning it can't block an attack until it has already happened once -- because it's not run inline. Are you seeing repeated attempts from the same IP?

        [Insert lengthy cautionary advice about not exposing your SQL server to the Internet at large, use a VPN and/or IP restrictions, etc, etc]

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • R
          rockinthesixstring
          last edited by

          Yeah the attacks come from the same IP over and over and there are zero alerts in snort.  The SQL Server is exposed because I develop outside the local network.  However you are correct…I have got the VPN working now, so maybe I'll close it down and connect via VPN.

          Chase
          Link Removed
          PFSense 2.0.1 - RELEASE

          1 Reply Last reply Reply Quote 0
          • First post
            Last post