[Snort-sigs] new rule for detect

Matthew Watchinski mwatchinski at ...435...
Tue Jun 26 17:50:10 EDT 2007


Couple questions.

1. Why 200 if the stack buffer for this is 100 bytes?
2. Why content:!")"; if an sql statement of this works

uuid_from_char( 'Ax100' )

Seems like the terminator would be ' and not )

3. Why do a dsize, a isdataat and a within that all check essentially
the same thing?

4. Since this function is only suppose to convert text uuid's to byte
uuids why not just whitelist valid uuid's.  IE the function only takes
"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX" and it must be formated like that.

Cheers,
-matt

rmkml wrote:
> Hi,
> 
> please check and maybe add this new rule :
> 
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 21064 (msg:"SQL Ingres uuid_from_char() overflow attempt"; flow:to_server,established; dsize:>200; content:" uuid_from_char("; nocase; isdataat:200,relative; content:!")"; within:200; reference:cve,2007-3338; classtype:attempted-user; sid:92036; rev:1;)
> 
> Any suggestions and improvements are welcome,
> 
> Credits:
> Crusoe Researches
> http://www.Crusoe-Researches.com
> contact at ...3281...
> => Crusoe Researches have more than 2036 UNIQ 'snort' rules for Commercial Access
>      (Contact me directly if you are interested)
> 
> Azwalaro French new nidps open source project
> http://www.Crusoe-Researches.com/azwalaro/
> azwalaro at ...3281...
> 
> Regards
> Rmkml
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list