Re: Using snort to track Oracle access

[Jason Wallace <jason.r.wallace () gmail com>]

I would try to avoid "any any <> any any"

Make sure the ports used for this communication are set to "ports
both" in stream5.

For example if Oracle is listening on port 1521 you will need to
ensure 1521 is in "ports both" in stream5 then try these rules...

alert tcp [your client address space] any -> [your Oracle Server IP]
1521 (flow:established,to_server; content:"samsung"; nocase;
msg:"Samsung in the stream from client to server"; sid:1000047;
rev:1;)

alert tcp [your Oracle Server IP] 1521 -> [your client address space]
any (flow:established,from_server; content:"samsung"; nocase;
msg:"Samsung in the stream from server to client"; sid:1000048;
rev:1;)

IIRC Oracle and do some weird stuff with picking ports so you need to
know how the client to server comms work.

Thx,
Wally
On Tue, Feb 21, 2012 at 7:58 AM, Steve Wombell
<swombell () packetmechanics com> wrote:
> I am new to Snort, but have a requirement to audit data flowing to and from
> an Oracle database based on the content of the data flowing in each
> direction. While this is not exactly an IDS use case, the similarity is that
> the packets flowing to and from Oracle need to be searched for particular
> content and a report generated on the usage.
>
> The test setup is:
>
> Snort on a Windows PC (the Server)  capturing traffic that flows through the
> network interface. (192.168.1.111)
> An Oracle instance on the same PC.
> A client PC on the same subnet that can query the database. (192.168.1.109)
>
> This rule
>
> alert tcp any any <> any any (content:"samsung"; nocase; msg:"Samsung in the
> stream"; sid:1000047; rev:1;)
>
> will report when a packet containing "samsung" is sent from the client to
> the server, but packets from the database server to the client do not
> trigger the rule.
>
> I am struggling to understand why the database-to-client packets are not
> flagged. I have verified that the search text is in the return packets (via
> using a sniffer) so it is not an encryption issue.
>
> Is it something as simple as the way the HOME (192.168.1.0/24) and EXTERNAL
> (any)  network definitions are interpreted (does not seem likely) ... any
> advice appreciated ...
>
> Thanks
> Steve
>
>
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!