[Snort-users] Using snort to track Oracle access

Steve Wombell swombell at ...15526...
Tue Feb 21 07:58:14 EST 2012


I am new to Snort, but have a requirement to audit data flowing to and from
an Oracle database based on the content of the data flowing in each
direction. While this is not exactly an IDS use case, the similarity is
that the packets flowing to and from Oracle need to be searched for
particular content and a report generated on the usage.

The test setup is:

   - Snort on a Windows PC (the Server)  capturing traffic that flows
   through the network interface. (192.168.1.111)
   - An Oracle instance on the same PC.
   - A client PC on the same subnet that can query the database.
   (192.168.1.109)

This rule

   - alert tcp any any <> any any (content:"samsung"; nocase; msg:"Samsung
   in the stream"; sid:1000047; rev:1;)

will report when a packet containing "samsung" is sent from the client to
the server, but packets from the database server to the client do not
trigger the rule.

I am struggling to understand why the database-to-client packets are not
flagged. I have verified that the search text is in the return packets (via
using a sniffer) so it is not an encryption issue.

Is it something as simple as the way the HOME (192.168.1.0/24) and EXTERNAL
(any)  network definitions are interpreted (does not seem likely) ... any
advice appreciated ...

Thanks
Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120221/5005e178/attachment.html>


More information about the Snort-users mailing list