[Snort-users] Using snort to track Oracle access

Jason Wallace jason.r.wallace at ...11827...
Thu Feb 23 12:17:42 EST 2012


I would try to avoid "any any <> any any"

Make sure the ports used for this communication are set to "ports
both" in stream5.

For example if Oracle is listening on port 1521 you will need to
ensure 1521 is in "ports both" in stream5 then try these rules...

alert tcp [your client address space] any -> [your Oracle Server IP]
1521 (flow:established,to_server; content:"samsung"; nocase;
msg:"Samsung in the stream from client to server"; sid:1000047;
rev:1;)

alert tcp [your Oracle Server IP] 1521 -> [your client address space]
any (flow:established,from_server; content:"samsung"; nocase;
msg:"Samsung in the stream from server to client"; sid:1000048;
rev:1;)

IIRC Oracle and do some weird stuff with picking ports so you need to
know how the client to server comms work.

Thx,
Wally
On Tue, Feb 21, 2012 at 7:58 AM, Steve Wombell
<swombell at ...15526...> wrote:
> I am new to Snort, but have a requirement to audit data flowing to and from
> an Oracle database based on the content of the data flowing in each
> direction. While this is not exactly an IDS use case, the similarity is that
> the packets flowing to and from Oracle need to be searched for particular
> content and a report generated on the usage.
>
> The test setup is:
>
> Snort on a Windows PC (the Server)  capturing traffic that flows through the
> network interface. (192.168.1.111)
> An Oracle instance on the same PC.
> A client PC on the same subnet that can query the database. (192.168.1.109)
>
> This rule
>
> alert tcp any any <> any any (content:"samsung"; nocase; msg:"Samsung in the
> stream"; sid:1000047; rev:1;)
>
> will report when a packet containing "samsung" is sent from the client to
> the server, but packets from the database server to the client do not
> trigger the rule.
>
> I am struggling to understand why the database-to-client packets are not
> flagged. I have verified that the search text is in the return packets (via
> using a sniffer) so it is not an encryption issue.
>
> Is it something as simple as the way the HOME (192.168.1.0/24) and EXTERNAL
> (any)  network definitions are interpreted (does not seem likely) ... any
> advice appreciated ...
>
> Thanks
> Steve
>
>
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list