[Snort-sigs] lots of false positives for "GPL SQL user name buffer overflow attempt"

rmkml rmkml at ...174...
Tue Jan 21 09:20:24 EST 2014


Hi Cyrille,

Please test with this new version please:

  alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name buffer overflow attempt"; flow:to_server,established;
content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; content:!"|29|"; within:1000;
reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2102650; rev:4;)

Regards
@Rmkml


On Tue, 21 Jan 2014, Cyrille Bollu wrote:

> Hi,
> 
> thanks for the info
> 
> I was just looking at the flow:only_stream... options. That might well be related.
> 
> OTH, I'm new to snort and I don't yet understand the links between all these "official ruleset" (you mean the VRT one?), the ET, the GPL,.... Do you mind explaining me what you means by "ET forking"?
> 
> Br,
> 
> Cyrille
> 
> 
> 
> 
> 
> On Tue, Jan 21, 2014 at 3:11 PM, Joel Esler (jesler) <jesler at ...3865...> wrote:
>       isdataat reads a whole stream, so if packets are being reassembled as part of the Stream5 preprocessor, isdataat can cross those packet boundaries, while you may only receive one packet in the alert.
> 
> That may be the cause of it.  It doesn?t look that rule matches the rule in the official ruleset, yet another reason why ET forking these rules was a bad idea.
> 
> 
> On Jan 21, 2014, at 8:48 AM, Cyrille Bollu <cyrille.bollu at ...2420...> wrote:
>
>       Hi,
> 
> Signature 2102650 generates lots of false positives here.
> 
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase;
> isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2102650; rev:3;)
> 
> It seems like the "isdataat:1000,relative" option is not taken into account, as packets are smaller than 1000 bytes.
> 
> For example, here are the last bytes of a matching packet: "(HOST=PC-MARIANNE)(USER=marianne))))".
> 
> I can provide you with a packet capture if you want
> 
> Br,
> 
> Cyrille


More information about the Snort-sigs mailing list