[Snort-sigs] Oracle SQL Obfuscation Rule

Nicholas Mavis nmavis at ...435...
Tue Oct 22 17:59:14 EDT 2013


I noticed that in the ruleset, we currently have a rule looking for MS
SQL obfuscation with a string of char()'s. However, we do not have a
rule for the Oracle version, chr(). I've altered the original rule to
the following:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"INDICATOR-OBFUSCATION large number of calls to chr function";
flow:established,to_server; content:"GET"; http_method;
content:"CHR("; nocase; http_uri;
pcre:"/CHR\(.*?CHR\(.*?CHR\(.*?CHR\(.*?CHR\(/smiU"; metadata:service
http; classtype:web-application-attack;)

Thanks,
Nick Mavis




More information about the Snort-sigs mailing list