'Re: [Snort-sigs] lots of false positives for "GPL SQL user name buffer overflow attempt"'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] lots of false positives for "GPL SQL user name buffer overflow attempt"
From:       rmkml <rmkml () yahoo ! fr>
Date:       2014-01-21 14:20:24
Message-ID: alpine.DEB.2.00.1401211519530.18723 () sd-26634 ! dedibox ! fr
[Download RAW message or body]

Hi Cyrille,

Please test with this new version please:

  alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name \
buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; \
content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; \
content:!"|29|"; within:1000; \
reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; \
sid:2102650; rev:4;)

Regards
@Rmkml


On Tue, 21 Jan 2014, Cyrille Bollu wrote:

> Hi,
> 
> thanks for the info
> 
> I was just looking at the flow:only_stream... options. That might well be related.
> 
> OTH, I'm new to snort and I don't yet understand the links between all these \
> "official ruleset" (you mean the VRT one?), the ET, the GPL,.... Do you mind \
> explaining me what you means by "ET forking"? 
> Br,
> 
> Cyrille
> 
> 
> 
> 
> 
> On Tue, Jan 21, 2014 at 3:11 PM, Joel Esler (jesler) <jesler@cisco.com> wrote:
> isdataat reads a whole stream, so if packets are being reassembled as part of the \
> Stream5 preprocessor, isdataat can cross those packet boundaries, while you may \
> only receive one packet in the alert. 
> That may be the cause of it.  It doesn?t look that rule matches the rule in the \
> official ruleset, yet another reason why ET forking these rules was a bad idea. 
> 
> On Jan 21, 2014, at 8:48 AM, Cyrille Bollu <cyrille.bollu@gmail.com> wrote:
> 
> Hi,
> 
> Signature 2102650 generates lots of false positives here.
> 
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name \
> buffer overflow attempt"; flow:to_server,established; content:"connect_data"; \
> nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; \
> within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; \
> classtype:attempted-user; sid:2102650; rev:3;) 
> It seems like the "isdataat:1000,relative" option is not taken into account, as \
> packets are smaller than 1000 bytes. 
> For example, here are the last bytes of a matching packet: \
> "(HOST=PC-MARIANNE)(USER=marianne))))". 
> I can provide you with a packet capture if you want
> 
> Br,
> 
> Cyrille



------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic