Snort mailing list archives
Re: Using snort to track Oracle access
From: Martin Holste <mcholste () gmail com>
Date: Thu, 23 Feb 2012 13:36:37 -0600
I am new to Snort, but have a requirement to audit data flowing to and from an Oracle database based on the content of the data flowing in each direction. While this is not exactly an IDS use case, the similarity is that the packets flowing to and from Oracle need to be searched for particular content and a report generated on the usage.
Firstly, I would suggest that by far the best place to audit this kind of thing would be to have Oracle generate its own logs and to use those. I generally find that things important enough to audit like this will be encrypted on the wire. Before you get too far, I'd use tcpdump to quickly verify that the Oracle traffic is cleartext. After that, I'd strongly suggest looking at a pcap using Wireshark. The read filter for the "tns" protocol has a lot of filters available. If you find a good filter, such as "tns.data" then you can put those into a tshark filter for reading off the wire like this: tshark -i bond0 -R "tns.data" -n Then you can do some cleaning up by piping to grep or a script like this: tshark -i bond0 -R "tns.data" -n -e data -Tfields | perl -le 'while(<>){ print unpack("A*", pack("H*", $_)) }' | grep "table_name_to_audit" If none of that is good enough, then try writing some Snort sigs for content matching. Even if it's not as efficient as the methods above, it's a great way to learn how to write signatures. ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Using snort to track Oracle access Steve Wombell (Feb 23)
- Re: Using snort to track Oracle access Jason Wallace (Feb 23)
- Re: Using snort to track Oracle access Martin Holste (Feb 23)