ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack

ET SCAN NNG MS02-039 Exploit False Positive Generator – May Conceal A Genuine Attack

This alert is triggered when detecting UDP traffic towards port 1434 (typically associated with Microsoft SQL Server) containing a specific content pattern suggesting the use of the NNG MS02-039 exploit false positive generator. MS02-039 is a Microsoft security bulletin related to buffer overflows in SQL Server 2000. The NNG tool referenced in this rule can be used to generate traffic patterns that mimic the exploit, this tool can be used for testing and validating the IDS/IPS setups. This alert may be triggered when an adversary is attempting to distract or mislead the monitoring system by generating false positives, potentially concealing a genuine attack.

Categories:

ID Number

4000481

Signature

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack"; content:"nng Snort (Snort)"; offset:90; threshold:type threshold, track by_dst, count 4, seconds 15; reference:url,packetstormsecurity.nl/filedesc/nng-4.13r-public.rar.html; reference:url,doc.emergingthreats.net/2008560; classtype:misc-activity; sid:4000481; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

MITRE ATT&CK Technique

Severity

Low

Recommendations/Investigative actions

It is recommended to verify whether this activity was a legitimate test performed by an authorized individual or team within your organization. If possible, block all UDP communication on port 1434 to the SQL server from external networks, or enable access from specific external devices only.