ET SCAN Suspicious inbound to mSQL port 4333
This alert is triggered when detecting inbound communication from an external network to the database (DB) on port 4333 (mSQL). This alert may be triggered when an adversary is attempting to gain initial access to the DB or is attempting to read or write data to the DB.
ID Number
4000757
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET 4333 (msg:"ET SCAN Suspicious inbound to mSQL port 4333"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2010938; classtype:bad-unknown; sid:4000757; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
It is recommended to disable all external communications to the DB, Disable mSQL port 4333. If there is a need to allow external access to the DB, enable access to specific assets.