Snort mailing list archives
Re: Oracle SQL Obfuscation Rule
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 22 Oct 2013 19:14:18 -0400
Thanks Nick, I’ll ask someone to take a look. -- Joel Esler AEGIS Intelligence Lead OpenSource Community Manager Vulnerability Research Team, Sourcefire On Oct 22, 2013, at 5:59 PM, Nicholas Mavis <nmavis () sourcefire com> wrote:
I noticed that in the ruleset, we currently have a rule looking for MS SQL obfuscation with a string of char()'s. However, we do not have a rule for the Oracle version, chr(). I've altered the original rule to the following: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to chr function"; flow:established,to_server; content:"GET"; http_method; content:"CHR("; nocase; http_uri; pcre:"/CHR\(.*?CHR\(.*?CHR\(.*?CHR\(.*?CHR\(/smiU"; metadata:service http; classtype:web-application-attack;) Thanks, Nick Mavis ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Oracle SQL Obfuscation Rule Nicholas Mavis (Oct 22)
- Re: Oracle SQL Obfuscation Rule Joel Esler (Oct 22)