[Snort-sigs] New rule for detect "Shutdown TNS Listener via Oracle iSQL*Plus"

rmkml rmkml at ...324...
Fri Oct 7 13:58:56 EDT 2005


Hi,

Please check and add this new rule :

oracle.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3339 (msg:"ORACLE 
TNS Listener shutdown via iSQLPlus attempt"; flow:to_server,established; 
content:"isqlplus"; nocase; pcre:"/COMMAND.*STOP.*LISTENER/si";
reference:url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html; 
classtype:attempted-user;)

Regards
Rmkml




More information about the Snort-sigs mailing list