ET SCAN Non-Allowed Host Tried to Connect to MySQL Server
This alert is triggered when a non-allowed host tries to connect to a MySQL server on the monitored network. MySQL is an open-source relational database management system. This rule specifically identifies the error message returned by MySQL servers when a host, which is not allowed, tries to establish a connection. This alert may be triggered when an adversary or unauthorized entity is attempting to access a MySQL database to which they do not have permissions.
ID Number
4000484
Signature
alert tcp $HOME_NET 3306 -> any any (msg:"ET SCAN Non-Allowed Host Tried to Connect to MySQL Server"; flow:from_server,established; content:"|6A 04|Host|20 27|"; depth:70; content:"|27 20|is not allowed to connect to this MySQL server"; distance:0; reference:url,www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html; reference:url,doc.emergingthreats.net/2010493; classtype:attempted-recon; sid:4000484; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
It is recommended to examine the source IP that triggered the alert and determine its legitimacy, this may be a legitimate user or system attempting to connect. If it's from an unknown or unexpected source, further investigation, and potential blocking are advised. Review MySQL server configurations, specifically the host-based access controls, to ensure that only necessary and trusted hosts can establish connections.