ET SCAN Suspicious inbound to MSSQL port 1433

This alert is triggered when detecting inbound communication from an external network to the database (DB) on port 1433 (MSSQL). This alert may be triggered when an adversary is attempting to gain initial access to the DB or is attempting to read or write data to the DB.

Categories:

ID Number

4000760

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg:"ET SCAN Suspicious inbound to MSSQL port 1433"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010935; classtype:bad-unknown; sid:4000760; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

MITRE ATT&CK Technique

Severity

Low

Recommendations/Investigative actions

It is recommended to disable all external communications to the DB, Disable MSSQL port 1433. If there is a need to allow external access to the DB, enable access to specific assets.

Comments

There are 2 Rules: SID-47634 detects exploitation of CVE-2018-11776. SID- 27574 detects exploitation of CVE-2013-2134 and CVE-2013-2135.