[Snort-sigs] Oracle grant fix

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Fri Jun 7 11:11:04 EDT 2002


tcp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"ORACLE grant create
attempt"; flow:to_server,established; content:"grant "; nocase;
content:"create "; nocase; content:" to "; nocase;
classtype:protocol-command-decode;)
tcp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"ORACLE grant on attempt";
flow:to_server,established; content:"grant "; nocase; content:" on ";
nocase; content:" to "; nocase; classtype:protocol-command-decode;)
 
In reality, this doesn't fix all false positives, but it certainly reduces
them greatly (especially the grant create )
Anyone interested in catching the granting of administrative rights?




More information about the Snort-sigs mailing list