[Snort-sigs] lots of false positives for "GPL SQL user name buffer overflow attempt"

Cyrille Bollu cyrille.bollu at ...2420...
Tue Jan 21 08:48:34 EST 2014


Hi,

Signature 2102650 generates lots of false positives here.

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL
user name buffer overflow attempt"; flow:to_server,established;
content:"connect_data"; nocase; content:"|28|user="; nocase;
isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,
www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user;
sid:2102650; rev:3;)

It seems like the "isdataat:1000,relative" option is not taken into
account, as packets are smaller than 1000 bytes.

For example, here are the last bytes of a matching packet:
"(HOST=PC-MARIANNE)(USER=marianne))))".

I can provide you with a packet capture if you want

Br,

Cyrille
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140121/b5ee59e8/attachment.html>


More information about the Snort-sigs mailing list