[Snort-sigs] Oracle SQL Obfuscation Rule

Joel Esler jesler at ...435...
Tue Oct 22 19:14:18 EDT 2013

Thanks Nick,

I’ll ask someone to take a look.  

Joel Esler
AEGIS Intelligence Lead
OpenSource Community Manager
Vulnerability Research Team, Sourcefire

On Oct 22, 2013, at 5:59 PM, Nicholas Mavis <nmavis at ...435...> wrote:

> I noticed that in the ruleset, we currently have a rule looking for MS
> SQL obfuscation with a string of char()'s. However, we do not have a
> rule for the Oracle version, chr(). I've altered the original rule to
> the following:
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
> (msg:"INDICATOR-OBFUSCATION large number of calls to chr function";
> flow:established,to_server; content:"GET"; http_method;
> content:"CHR("; nocase; http_uri;
> pcre:"/CHR\(.*?CHR\(.*?CHR\(.*?CHR\(.*?CHR\(/smiU"; metadata:service
> http; classtype:web-application-attack;)
> Thanks,
> Nick Mavis
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131022/7ac1733a/attachment.html>

More information about the Snort-sigs mailing list