There is currently a computer attempting to gain access to your Microsoft SQL server as sa (System Administrator).  It is using a list of passwords that has been gathered from various sources on the internet.  Gaining access to your SQL server compromises your data and may allow the aggressor to take control of the machine.

It may be a good time to change your sa password.

Sniffle has made every attempt to respond to the ISP hosting the attacking computer.  The IP address used by sniffle is almost certainly real.

These attacks almost always originate outside the United States.  It is illegal within the US.  If it appears that the attack originates in the US you should contact the proper authorities.

Sniffle creates and uses several files for this type of attack.  It creates several .tmp files which are converted to .txt files after processing.  Sniffle analyzes and creates the exploit reports every hour.  Please do not delete the .tmp files.

The actual data used in the attack is contained in a text file with the following format.
YYYY-MM-DD HH-MM-SS-ms ???.???.???.???.txt
Example: 2019-10-23 11-34-10-324 192.168.1.122.txt
The file contains:
Date and Time
UTC offset
Source IP address
Client Name
Login
Password
Application Name
Target SQL Server IP Address

If Sniffle cannot find a contact address in the whois information it dumps the whois data to a file with the following format:
SQL Whois Lookup Fail 192.168.1.122.txt

Sniffle also adds all failed login attempts to a file:
SQL Server Login Errors.txt

Sniffle also adds the attempt to a file containing the country code of the attack.  
SQL Attack Country of Origin.txt
You can look up these codes at:
https://www.ripe.net/participate/member-support/list-of-members/list-of-country-codes-and-rirs

Beyond notifying the hosting ISP, there is very little that can be done to stop this type attack.  You could try using Echo and Kill but chances are the attacks are coming from a constantly changing set of computers worldwide.

