[Snort-sigs] False Positives on sid 1690
matt at ...2436...
Sun Aug 8 07:21:02 EDT 2004
Getting a lot off false positives on sid 1690, Oracle Grant Attempt.
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE
grant attempt"; flow:to_server,established; content:"grant "; nocase;
content:" to "; nocase; classtype:protocol-command-decode; sid:1690; rev:3;)
Anytime an oracle data stream contains the word Grant (as in Grant
street, John Grant, "These funds have been granted to", etc) the rule is
hitting. Maybe a pcre string to look specifically for permission grants
or something. Maybe a within statement to keep the "to" shortly after
the grant. But just "grant" and "to" is pretty non-unique.
More information about the Snort-sigs