Snort mailing list archives
Re: Using snort to track Oracle access
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Thu, 23 Feb 2012 12:17:42 -0500
I would try to avoid "any any <> any any" Make sure the ports used for this communication are set to "ports both" in stream5. For example if Oracle is listening on port 1521 you will need to ensure 1521 is in "ports both" in stream5 then try these rules... alert tcp [your client address space] any -> [your Oracle Server IP] 1521 (flow:established,to_server; content:"samsung"; nocase; msg:"Samsung in the stream from client to server"; sid:1000047; rev:1;) alert tcp [your Oracle Server IP] 1521 -> [your client address space] any (flow:established,from_server; content:"samsung"; nocase; msg:"Samsung in the stream from server to client"; sid:1000048; rev:1;) IIRC Oracle and do some weird stuff with picking ports so you need to know how the client to server comms work. Thx, Wally On Tue, Feb 21, 2012 at 7:58 AM, Steve Wombell <swombell () packetmechanics com> wrote:
I am new to Snort, but have a requirement to audit data flowing to and from an Oracle database based on the content of the data flowing in each direction. While this is not exactly an IDS use case, the similarity is that the packets flowing to and from Oracle need to be searched for particular content and a report generated on the usage. The test setup is: Snort on a Windows PC (the Server) capturing traffic that flows through the network interface. (192.168.1.111) An Oracle instance on the same PC. A client PC on the same subnet that can query the database. (192.168.1.109) This rule alert tcp any any <> any any (content:"samsung"; nocase; msg:"Samsung in the stream"; sid:1000047; rev:1;) will report when a packet containing "samsung" is sent from the client to the server, but packets from the database server to the client do not trigger the rule. I am struggling to understand why the database-to-client packets are not flagged. I have verified that the search text is in the return packets (via using a sniffer) so it is not an encryption issue. Is it something as simple as the way the HOME (192.168.1.0/24) and EXTERNAL (any) network definitions are interpreted (does not seem likely) ... any advice appreciated ... Thanks Steve ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Using snort to track Oracle access Steve Wombell (Feb 23)
- Re: Using snort to track Oracle access Jason Wallace (Feb 23)
- Re: Using snort to track Oracle access Martin Holste (Feb 23)