![snort logo](/images/snort-logo.png)
Snort mailing list archives
Using snort to track Oracle access
From: Steve Wombell <swombell () packetmechanics com>
Date: Tue, 21 Feb 2012 20:58:14 +0800
I am new to Snort, but have a requirement to audit data flowing to and from an Oracle database based on the content of the data flowing in each direction. While this is not exactly an IDS use case, the similarity is that the packets flowing to and from Oracle need to be searched for particular content and a report generated on the usage. The test setup is: - Snort on a Windows PC (the Server) capturing traffic that flows through the network interface. (192.168.1.111) - An Oracle instance on the same PC. - A client PC on the same subnet that can query the database. (192.168.1.109) This rule - alert tcp any any <> any any (content:"samsung"; nocase; msg:"Samsung in the stream"; sid:1000047; rev:1;) will report when a packet containing "samsung" is sent from the client to the server, but packets from the database server to the client do not trigger the rule. I am struggling to understand why the database-to-client packets are not flagged. I have verified that the search text is in the return packets (via using a sniffer) so it is not an encryption issue. Is it something as simple as the way the HOME (192.168.1.0/24) and EXTERNAL (any) network definitions are interpreted (does not seem likely) ... any advice appreciated ... Thanks Steve
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Using snort to track Oracle access Steve Wombell (Feb 23)
- Re: Using snort to track Oracle access Jason Wallace (Feb 23)
- Re: Using snort to track Oracle access Martin Holste (Feb 23)