Today I received a support call about user's pc that cannot connect to the Internet suddenly, but able to talk with internal hosts. I've checked AIP-SSM log and found that this PC fired 5377/0 signature which triggers if "xp_cmdshell" (MS SQL Server stored procedure) word is found in HTTP request. It turned that this is one of our developer's PC and she fired this signature by simply searching Google for xp_cmdshell keyword:)
So, if you have SQL Server guys in your network create Event Action Rule Override to avoid breaking network communication for these people...
Regards,
Igor
No comments:
Post a Comment