lots of false positives for "GPL SQL user name buffer overflow attempt"

[Cyrille Bollu <cyrille.bollu () gmail com>]

Hi,

Signature 2102650 generates lots of false positives here.

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL
user name buffer overflow attempt"; flow:to_server,established;
content:"connect_data"; nocase; content:"|28|user="; nocase;
isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,
www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user;
sid:2102650; rev:3;)

It seems like the "isdataat:1000,relative" option is not taken into
account, as packets are smaller than 1000 bytes.

For example, here are the last bytes of a matching packet:
"(HOST=PC-MARIANNE)(USER=marianne))))".

I can provide you with a packet capture if you want

Br,

Cyrille

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!