[Snort-sigs] Duplicate Rule

Dan Hanson dhanson at ...113...
Thu Jun 13 14:01:10 EDT 2002


In oracle.rules, there are two rules that are identical except for the
message classtype and the SID.

snortrulescurrent/rules/oracle.rules:alert tcp $EXTERNAL_NET any ->
$SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE EXECUTE_SYSTEM attempt";
flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase;
classtype:system-call-detect; sid:1673; rev:3;)

snortrulescurrent/rules/oracle.rules:alert tcp $EXTERNAL_NET any ->
$SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE execute_system attempt";
flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase;
classtype:protocol-command-decode; sid:1698; rev:3;)

--
Dan Hanson
SecurityFocus -- http://www.securityfocus.com
ARIS -- http://aris.securityfocus.com
dhanson at ...113...





More information about the Snort-sigs mailing list