4000747

alert tcp $HOME_NET any -> any 1433 (msg:"ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001583; classtype:misc-activity; sid:4000747; rev:15; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

Medium

Locate the device initiating the traffic to assess if it’s expected or potentially unauthorized. Restrict access to port 1433 if this traffic is unexpected, especially if SQL services aren’t required Investigate the device that initiated the traffic for signs of phishing, malware, or other suspicious behavior.