[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISSForum] SQL_Login signature



Hi all.
I thought that SQL_Login means that somebody has logined SQL server with
SQL server authentication. It's really interesting because SQL server by
default uses weak encryption and it's no problem to get password from
traffic. But today I've found in details of SQL_Login event:

Date/Time   2004-07-20 09:06:09 MSD
Tag Name    SQL_Login
Alert Name  SQL_Login
Severity    Low
Observance Type   Intrusion Detection
Combined Event Count    1
Cleared Flag      false
Target DNS Name   xxx.xxx.xxx
Target IP Address x.x.x.x
Target Object Name      139
Target Object Type      Target Port
Source DNS Name   qqq.qqq.qqqq
Source IP Address w.w.w.w
SourcePort Name   1093
Sensor IP Address sss.sss.sss.sss
Sensor Name network_sensor_1
:CLIENT     WCR30707
:intruder-ip-addr w.w.w.w
:intruder-port    1093
:SERVER     HQSQL04
:USER YOMokrushina
:victim-ip-addr   x.x.x.x
:victim-port      139
algorithm-id      3000902
AnalyzedBy  SecurityFusion
FusionVulnStatus  Unknown impact (no correlation)
Packet DestinationAddress     w.w.w.w
Packet DestinationPort  1093
Packet SourceAddress    x.x.x.x
Packet SourcePort 139
Packet SourcePortName   netbios-ssn
StatusSource      none

Does this information mean that SQL Server is listening on 139/tcp port?
It's delusion.
So, the question is what SQL_Login signatue detects?

Thank you all.

---
Best regards, Sergey V. Soldatov.



_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.