GEN:SID 1:2329
Message MS-SQL probe response overflow attempt
Summary This event is generated when an attempt is made to exploit a known
vulnerability in Microsoft Windows Data Access Components.
Impact Serious. Execution of arbitrary code is possible. Denial of Service
(DoS)
Detailed Information It may be possible for an attacker to send a specially crafted response
to a client broadcast query searching for an SQL server. This response
could take advantage of a buffer overrun condition in an MDAC component
which may result in the attacker being presented with the opportunity to
execute code of their choosing with the privileges of the user running
the service on the client system.

A DoS condition may also manifest in MDAC version 2.8.

MDAC is included by default on many Microsoft Windows systems. Client
workstations may make regular broadcast announcements in an attempt to
find SQL servers.
Affected Systems Microsoft Data Access Components 2.5
    Microsoft Data Access Components 2.6
    Microsoft Data Access Components 2.7
    Microsoft Data Access Components 2.8
Attack Scenarios The attacker may spoof the response from an SQL server to exploit the
vulnerability.
Ease of Attack Moderate..
Corrective Action Apply the appropriate vendor supplied patches and service packs.

Use a packet filtering firewall to block access to port 1434 for UDP traffic

Use IPsec to block incoming requests on UDP port 1434 on the SQL server
Additional References Bugtraq:
http://www.securityfocus.com/bid/9407

CERT:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0903

Microsoft:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS04-003.asp
Rule References bugtraq: 9407
cve: 2003-0903
url: www.microsoft.com/technet/security/bulletin/MS04-003.mspx