[Snort-sigs] Error in oracle rule...
Jay 'Whip' Grizzard
elfchief at ...3249...
Fri Sep 22 18:57:48 EDT 2006
I'm not certain where the right place to send bug reports in rules to is,
and haven't been able to find specific data, so I'll try here.
I think that the oracle 'user name buffer overflow attempt' rule (sid 2650)
is wrong and does not check for the correct string.
It currently reads (relevant snippet):
content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000
0x28 = (
0x22 = "
... which is basically saying to match on the string "(user=" if there's not
a quote within the next thousand characters.
What I think it's *supposed* to do is to match if there's not a closing
parenthesis within the next thousand characters, since the string used
in actual requests is "(user=<username>)".
So I think the rule should actually be (again, relevant snippet):
content:"|28|user="; nocase; isdataat:1000,relative; content:!"|29|"; within:1000
Thanks for your attention.
More information about the Snort-sigs