ET SCAN Suspicious inbound to mySQL port 3306

This alert is triggered when detecting inbound communication from an external network to the database (DB) on port 3306 (mySQL). This alert may be triggered when an adversary is attempting to gain initial access to the DB or is attempting to read or write data to the DB.

Categories:

Cyber Attack
Radiflow

ID Number

4000758

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:4000758; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

MITRE ATT&CK Technique

Severity

Low

Recommendations/Investigative actions

It is recommended to disable all external communications to the DB, Disable mySQL port 3306. If there is a need to allow external access to the DB, enable access to specific assets.