Snort not blocking SQL Authentication Failures



  • I'm getting a pile of SQL attackes on my in house SQL Server

    Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 222.221.251.68]

    I have snort's rules setup to block these types of attacks (snort_sql.rules - SQL sa login failed ), but it doesn't seem to be trapping them. Am I missing something?


  • Rebel Alliance Developer Netgate

    Do you even get an alert in snort for that?

    Often, snort is reactionary – meaning it can't block an attack until it has already happened once -- because it's not run inline. Are you seeing repeated attempts from the same IP?

    [Insert lengthy cautionary advice about not exposing your SQL server to the Internet at large, use a VPN and/or IP restrictions, etc, etc]



  • Yeah the attacks come from the same IP over and over and there are zero alerts in snort.  The SQL Server is exposed because I develop outside the local network.  However you are correct…I have got the VPN working now, so maybe I'll close it down and connect via VPN.


Log in to reply