# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al. # All rights reserved. # $Id: mysql.rules,v 1.10.2.1 2005/03/01 18:57:08 bmc Exp $ #---------- # MYSQL RULES #---------- # # These signatures detect unusual and potentially malicious mysql traffic. # # These signatures are not enabled by default as they may generate false # positive alarms on networks that do mysql development. # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; distance:3; within:1; content:"root|00|"; nocase; distance:5; within:5; classtype:protocol-command-decode; sid:3456; rev:1;)