[Snort-sigs] BUG! Rule 1677 triggers a bug when logging to mysql

Brian bmc at ...95...
Wed Feb 12 13:58:03 EST 2003


On Wed, Feb 12, 2003 at 02:12:43PM +0100, Martin Olsson wrote:
> Rule 1677:
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS
> $ORACLE_PORTS (msg:"ORACLE select like '%' attempt";
> flow:to_server,established; content:" where "; nocase; content:" like
> '%'"; nocase; classtype:protocol-command-decode; sid:1677; rev:3;)
> 
> 
> Recommended actions:
> 1. Modify all rules that might trigger this behavoiur immediately
> 2. Let the rules parser detect this kind of malformed rules at startup

This is not a rules problem.  This is a problem in the implementation of
the database plugin you are using. 

-brian




More information about the Snort-sigs mailing list