[Snort-sigs] Error in oracle rule...

Jay 'Whip' Grizzard elfchief at ...3249...
Fri Sep 22 18:57:48 EDT 2006

I'm not certain where the right place to send bug reports in rules to is,
and haven't been able to find specific data, so I'll try here.

I think that the oracle 'user name buffer overflow attempt' rule (sid 2650) 
is wrong and does not check for the correct string.

It currently reads (relevant snippet):

content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000

0x28 = (
0x22 = "

... which is basically saying to match on the string "(user=" if there's not
a quote within the next thousand characters.

What I think it's *supposed* to do is to match if there's not a closing
parenthesis within the next thousand characters, since the string used
in actual requests is "(user=<username>)". 

So I think the rule should actually be (again, relevant snippet):

content:"|28|user="; nocase; isdataat:1000,relative; content:!"|29|"; within:1000

Thanks for your attention.


More information about the Snort-sigs mailing list