Rule:  

--
Sid: 708

-- 

Summary: 
This event is generated when an attempt is made to overflow a buffer in the Microsoft SQL Server and Data Engine.

-- 
Impact: 
Serious. A Denial of Service condition or execution of arbitrary code is possible.

--
Detailed Information:
A buffer overflow condition exists in some versions of Microsoft SQL Server and Data Engine that may allow an attacker to execute arbitrary code with system privileges or crash the SQL Server.

The attacker must gain access to the SQL Server to exploit this vulnerability.

--

Attack Scenarios: 
Exploit code exists.

-- 

Ease of Attack: 
Simple. Exploit code exists.

-- 

False Positives: 
None Known.

--
False Negatives:
None Known

-- 

Corrective Action: 
Apply the appropriate vendor supplied patches.

Disallow direct access to the SQL server from sources external to the protected network.

Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise

Look for other events generated by the same IP addresses.

--
Contributors: 
Original Rule Writer Unknown
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1082

Bugtraq:
http://www.securityfocus.com/bid/2031

Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms00-092.asp

--
