This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MSSQL client overflow false positives

I'm seeing a lot of false positives on this rule - shouldn't the flow selector be limited to mssql ports? This is obviously ipsec udp traffic.

Message........: MS-SQL probe response overflow attempt
Packet dropped.: no
Priority.......: 1 (high)
Classification.: Attempted User Privilege Gain
IP protocol....: 17 (UDP)

Source IP address:
Source port: 4500 (ipsec-msft)
Destination IP address:
Destination port: 4500 (ipsec-msft)

This thread was automatically locked due to age.

Parents

0 seamus151 over 19 years ago

I get the same thing, no suggestions from the peanut gallery?

seamus
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 seamus151 over 19 years ago

I get the same thing, no suggestions from the peanut gallery?

seamus
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 drees over 19 years ago in reply to seamus151

I disable the rules that give me too many false alerts.
Cancel
Vote Up 0 Vote Down

Cancel