Snort mailing list archives
Re: lots of false positives for "GPL SQL user name buffer overflow attempt"
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 21 Jan 2014 14:11:02 +0000
isdataat reads a whole stream, so if packets are being reassembled as part of the Stream5 preprocessor, isdataat can cross those packet boundaries, while you may only receive one packet in the alert. That may be the cause of it. It doesn’t look that rule matches the rule in the official ruleset, yet another reason why ET forking these rules was a bad idea. On Jan 21, 2014, at 8:48 AM, Cyrille Bollu <cyrille.bollu () gmail com<mailto:cyrille.bollu () gmail com>> wrote: Hi, Signature 2102650 generates lots of false positives here. alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html<http://www.appsecinc.com/Policy/PolicyCheck62.html>; classtype:attempted-user; sid:2102650; rev:3;) It seems like the "isdataat:1000,relative" option is not taken into account, as packets are smaller than 1000 bytes. For example, here are the last bytes of a matching packet: "(HOST=PC-MARIANNE)(USER=marianne))))". I can provide you with a packet capture if you want Br, Cyrille ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- lots of false positives for "GPL SQL user name buffer overflow attempt" Cyrille Bollu (Jan 21)
- Re: lots of false positives for "GPL SQL user name buffer overflow attempt" Joel Esler (jesler) (Jan 21)
- Re: lots of false positives for "GPL SQL user name buffer overflow attempt" Cyrille Bollu (Jan 21)
- Re: lots of false positives for "GPL SQL user name buffer overflow attempt" Joel Esler (jesler) (Jan 21)