Rule:  --Sid:677-- Summary: This event is generated when a command is issued to an SQL databaseserver that may result in a serious compromise of the data stored onthat system.-- Impact: Serious. An attacker may have gained administrator access to the system.--Detailed Information:This event is generated when an attacker issues a special command to anSQL database that may result in a serious compromise of all data storedon that system.Such commands may be used to gain access to a system with the privilegesof an administrator, delete data, add data, add users, delete users,return sensitive information or gain intelligence on the server softwarefor further system compromise. This connection can either be a legitimate telnet connection or theresult of spawning a remote shell as a consequence of a successfulnetwork exploit. --Attack Scenarios: Simple. These are SQL database commands.-- Ease of Attack: Simple.-- False Positives: This event may be generated by a database administrator logging in andissuing database commands from a location outside the protected network.--False Negatives:None Known-- Corrective Action: Disallow direct access to the SQL server from sources external to theprotected network.Ensure that this event was not generated by a legitimate session theninvestigate the server for signs of compromiseLook for other events generated by the same IP addresses.--Contributors: Original Rule Writer UnknownSourcefire Research TeamNigel Houghton <nigel.houghton@sourcefire.com>-- Additional References:Microsoft MSDN:http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_sp_pa-pz_5x44.asp--