none
Getting multiple alert for Severity 20 RRS feed

  • Question

  • Hi,

    Recently started getting Severity 20 alerts from All SQL server from the Organization.

    As per the alert found that recently Unix team has deployed "Arctic Wolf Risk/Vulnerability Scanner" and from this unix server getting below alerts:

    Length specified in network packet payload did not match number of bytes read; the connection has been closed. Please contact the vendor of the client library. [CLIENT: xx.xx.xx.xx]

    This Unix machine scan Vulnerability on servers.

    Could anyone please help me on this.

    Thank you in advance your munch appreciated.

    Monday, May 25, 2020 9:50 AM

Answers

  • If by continuously you mean hundreds of times per second without interruption, that would be a cause for concern but probably not impactful if done with less frequency. I suggest you work with your security team to schedule production database scans outside of peak hours to mitigate impact and risk.


    Dan Guzman, Data Platform MVP, http://www.dbdelta.com

    • Marked as answer by Baraiya Kirit Wednesday, May 27, 2020 6:35 AM
    Monday, May 25, 2020 1:28 PM
    Moderator

All replies

  • The vulnerability scanner is deliberately sending malformed requests to SQL Server. These are properly being rejected by SQL Server and, in some cases, also terminate the connection with the severity 20 error. The database engine and OS are doing its job of protecting against possible exploits of such potentially malicious requests.

    Since errors are expected in this case, you could filter out those alerts based on these client IPs to eliminate the noise. 


    Dan Guzman, Data Platform MVP, http://www.dbdelta.com



    Monday, May 25, 2020 10:15 AM
    Moderator
  • Hi Dan,

    Just want to know, if this alerts are getting continuously, it will effect any of databases or performance impact on server.

    Monday, May 25, 2020 1:16 PM
  • If by continuously you mean hundreds of times per second without interruption, that would be a cause for concern but probably not impactful if done with less frequency. I suggest you work with your security team to schedule production database scans outside of peak hours to mitigate impact and risk.


    Dan Guzman, Data Platform MVP, http://www.dbdelta.com

    • Marked as answer by Baraiya Kirit Wednesday, May 27, 2020 6:35 AM
    Monday, May 25, 2020 1:28 PM
    Moderator
  • Hi Baraiya,

    I am agree with what Dan said.

    The vulnerability scanner is intentionally sending bad packets to see if they can connect.Your server may get hit  so you would get 17836 along with 18456 for a username that cannot exist in your AD.

    You could ignore or filter out these alerts if they do not interrupt you too much since this is quite normal behaviour and not an error.

    Best regards,

    Melissa

    -------------------------------------------

    MSDN Community Support

    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to  MSDN Support, feel free to contact MSDNFSF@microsoft.com


    Tuesday, May 26, 2020 7:31 AM