[Snort-users] Using snort to track Oracle access

Martin Holste mcholste at ...11827...
Thu Feb 23 14:36:37 EST 2012


> I am new to Snort, but have a requirement to audit data flowing to and from
> an Oracle database based on the content of the data flowing in each
> direction. While this is not exactly an IDS use case, the similarity is that
> the packets flowing to and from Oracle need to be searched for particular
> content and a report generated on the usage.

Firstly, I would suggest that by far the best place to audit this kind
of thing would be to have Oracle generate its own logs and to use
those.

I generally find that things important enough to audit like this will
be encrypted on the wire.  Before you get too far, I'd use tcpdump to
quickly verify that the Oracle traffic is cleartext.

After that, I'd strongly suggest looking at a pcap using Wireshark.
The read filter for the "tns" protocol has a lot of filters available.
 If you find a good filter, such as "tns.data" then you can put those
into a tshark filter for reading off the wire like this:
tshark -i bond0 -R "tns.data" -n
Then you can do some cleaning up by piping to grep or a script like this:
tshark -i bond0 -R "tns.data" -n -e data -Tfields | perl -le
'while(<>){ print unpack("A*", pack("H*", $_)) }' | grep
"table_name_to_audit"

If none of that is good enough, then try writing some Snort sigs for
content matching.  Even if it's not as efficient as the methods above,
it's a great way to learn how to write signatures.




More information about the Snort-users mailing list