i found a IDS alert telling me that someone tries to propagate a sql worm.
it's coming from a nonexisting LAN ip.
so my question :
should i switch off this rule?
i'm not running any sql server.
or should i have a look for where it comes from ?
how can i?

(for information: i'm running w2k behind a firewall/gateway server using clarkconnect 2.1 with snort installed)

thx