[Snort-sigs] False Positives on sid 1690

Joseph Gama josephgama at ...144...
Mon Aug 9 15:59:13 EDT 2004


I agree. This is my idea:

pcre:"/grant[/s]+([/w]+[/s]+){1,11}to[/s]+/i"

The 1,11 comes from the following cases:
grant all_customer to Matt;
grant select , delete , update , create , insert on
customer to Matt;

Peace,

Joseph

--- Matthew Jonkman <matt at ...2436...> wrote:

> Getting a lot off false positives on sid 1690,
> Oracle Grant Attempt.
> 
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS
> $ORACLE_PORTS (msg:"ORACLE 
> grant attempt"; flow:to_server,established;
> content:"grant "; nocase; 
> content:" to "; nocase;
> classtype:protocol-command-decode; sid:1690; rev:3;)
> 
> Anytime an oracle data stream contains the word
> Grant (as in Grant 
> street, John Grant, "These funds have been granted
> to", etc) the rule is 
> hitting. Maybe a pcre string to look specifically
> for permission grants 
> or something. Maybe a within statement to keep the
> "to" shortly after 
> the grant. But just "grant" and "to" is pretty
> non-unique.
> 
> Matt
> 
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you
> noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the
> past few weeks? Now,
> one more big change to announce. We are now OSTG-
> Open Source Technology
> Group. Come see the changes on the new OSTG site.
> www.ostg.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail




More information about the Snort-sigs mailing list