Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using snort to track Oracle access

From: Martin Holste <mcholste () gmail com>
Date: Thu, 23 Feb 2012 13:36:37 -0600
I am new to Snort, but have a requirement to audit data flowing to and from
an Oracle database based on the content of the data flowing in each
direction. While this is not exactly an IDS use case, the similarity is that
the packets flowing to and from Oracle need to be searched for particular
content and a report generated on the usage.


Firstly, I would suggest that by far the best place to audit this kind
of thing would be to have Oracle generate its own logs and to use
those.

I generally find that things important enough to audit like this will
be encrypted on the wire.  Before you get too far, I'd use tcpdump to
quickly verify that the Oracle traffic is cleartext.

After that, I'd strongly suggest looking at a pcap using Wireshark.
The read filter for the "tns" protocol has a lot of filters available.
 If you find a good filter, such as "tns.data" then you can put those
into a tshark filter for reading off the wire like this:
tshark -i bond0 -R "tns.data" -n
Then you can do some cleaning up by piping to grep or a script like this:
tshark -i bond0 -R "tns.data" -n -e data -Tfields | perl -le
'while(<>){ print unpack("A*", pack("H*", $_)) }' | grep
"table_name_to_audit"

If none of that is good enough, then try writing some Snort sigs for
content matching.  Even if it's not as efficient as the methods above,
it's a great way to learn how to write signatures.

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: