[Snort-users] Error trapping signatures ...

Jon Baer security at ...9153...
Sat Jun 21 20:02:10 EDT 2003


i was trying to rip through the archives to see what opinions existed for
things like error trapping and could not find much i only joined the list
not too long ago but im looking to see if there are any downsides to error
trapping ...

i first noticed that oracle.rules did not have any outbound alerts and then
i created a few for mysql:

alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg: "MySQL no database
selected"; content: "|FF 16 04|"; classtype:protocol-syntax-error; rev:1;)
alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg: "MySQL syntax error";
content: "|FF 28 04|"; classtype:protocol-syntax-error; rev:1;)
alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg: "MySQL non-existing
table access attempt"; content: "|FF 7A 04|";
classtype:protocol-syntax-error; rev:1;)
alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg: "MySQL non-existing
column access attempt"; content: "|FF 1E 04|";
classtype:protocol-syntax-error; rev:1;)

i realize a dev box to have them set to pass vs. alert but is there a
downside to having a handful of these type of alerts around?

- jon

NYCSnort: www.nycsnort.org
pgp key: http://www.jonbaer.net/jonbaer.asc
fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47






More information about the Snort-users mailing list