[Snort-sigs] False Positives on sid 1690

Matthew Jonkman matt at ...2436...
Sun Aug 8 07:21:02 EDT 2004


Getting a lot off false positives on sid 1690, Oracle Grant Attempt.

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE 
grant attempt"; flow:to_server,established; content:"grant "; nocase; 
content:" to "; nocase; classtype:protocol-command-decode; sid:1690; rev:3;)

Anytime an oracle data stream contains the word Grant (as in Grant 
street, John Grant, "These funds have been granted to", etc) the rule is 
hitting. Maybe a pcre string to look specifically for permission grants 
or something. Maybe a within statement to keep the "to" shortly after 
the grant. But just "grant" and "to" is pretty non-unique.

Matt





More information about the Snort-sigs mailing list