[Snort-sigs] redundant oracle rules: 1692 & 1693

Brian bmc at ...95...
Sun Jan 26 16:11:01 EST 2003


On Fri, Dec 13, 2002 at 11:39:07AM -0600, Andrew Hintz (Drew) wrote:
> It looks like sid 1692 and 1693 are redundant...
> 
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop
> table attempt"; flow:to_server,established; content:"drop table"; nocase;
> classtype:protocol-command-decode; sid:1692; rev:3;)
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE
> create table attempt"; flow:to_server,established; content:"drop table";
> nocase; classtype:protocol-command-decode; sid:1693; rev:3;)
> 
> Is sid 1693 maybe supposed to have content:"create table"; ?

Oops, corrected.

-brian




More information about the Snort-sigs mailing list