Snort mailing list archives
Oracle SQL Obfuscation Rule
From: Nicholas Mavis <nmavis () sourcefire com>
Date: Tue, 22 Oct 2013 17:59:14 -0400
I noticed that in the ruleset, we currently have a rule looking for MS SQL obfuscation with a string of char()'s. However, we do not have a rule for the Oracle version, chr(). I've altered the original rule to the following: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to chr function"; flow:established,to_server; content:"GET"; http_method; content:"CHR("; nocase; http_uri; pcre:"/CHR\(.*?CHR\(.*?CHR\(.*?CHR\(.*?CHR\(/smiU"; metadata:service http; classtype:web-application-attack;) Thanks, Nick Mavis ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Oracle SQL Obfuscation Rule Nicholas Mavis (Oct 22)
- Re: Oracle SQL Obfuscation Rule Joel Esler (Oct 22)