Snort mailing list archives
lots of false positives for "GPL SQL user name buffer overflow attempt"
From: Cyrille Bollu <cyrille.bollu () gmail com>
Date: Tue, 21 Jan 2014 14:48:34 +0100
Hi, Signature 2102650 generates lots of false positives here. alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url, www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2102650; rev:3;) It seems like the "isdataat:1000,relative" option is not taken into account, as packets are smaller than 1000 bytes. For example, here are the last bytes of a matching packet: "(HOST=PC-MARIANNE)(USER=marianne))))". I can provide you with a packet capture if you want Br, Cyrille
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- lots of false positives for "GPL SQL user name buffer overflow attempt" Cyrille Bollu (Jan 21)
- Re: lots of false positives for "GPL SQL user name buffer overflow attempt" Joel Esler (jesler) (Jan 21)
- Re: lots of false positives for "GPL SQL user name buffer overflow attempt" Cyrille Bollu (Jan 21)
- Re: lots of false positives for "GPL SQL user name buffer overflow attempt" Joel Esler (jesler) (Jan 21)