Snort mailing list archives
Re: Oracle SQL Obfuscation Rule
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 22 Oct 2013 19:14:18 -0400
Thanks Nick, I’ll ask someone to take a look. -- Joel Esler AEGIS Intelligence Lead OpenSource Community Manager Vulnerability Research Team, Sourcefire On Oct 22, 2013, at 5:59 PM, Nicholas Mavis <nmavis () sourcefire com> wrote:
I noticed that in the ruleset, we currently have a rule looking for MS
SQL obfuscation with a string of char()'s. However, we do not have a
rule for the Oracle version, chr(). I've altered the original rule to
the following:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"INDICATOR-OBFUSCATION large number of calls to chr function";
flow:established,to_server; content:"GET"; http_method;
content:"CHR("; nocase; http_uri;
pcre:"/CHR\(.*?CHR\(.*?CHR\(.*?CHR\(.*?CHR\(/smiU"; metadata:service
http; classtype:web-application-attack;)
Thanks,
Nick Mavis
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Oracle SQL Obfuscation Rule Nicholas Mavis (Oct 22)
- Re: Oracle SQL Obfuscation Rule Joel Esler (Oct 22)