Home page logo
/

snort logo Snort mailing list archives

Re: FP? 1675
From: Alex Kirk <akirk () sourcefire com>
Date: Thu, 21 Oct 2010 14:09:39 -0400

Are you getting a lot of these, or is this just a one-off? The unfortunate
reality with Oracle is that it uses random high ports after a TNS exchange
(which we don't currently track), and so sometimes HTML can trigger issues
like this, as it's destined for a high port like the rule expects. I'd
suggest tweaking your $SQL_SERVERS variable, since you're probably not doing
a lot of web surfing on the Oracle box, but your proxy could cause issues
with that, depending on your setup.

That said, unless you're getting a number of these, I'd file this under
"anomaly" and not worry too much about it.

On Tue, Oct 19, 2010 at 8:53 PM, Chris Stevens <
chrisstevens () users sourceforge net> wrote:

ORACLE misparsed login response - Looked like it triggered on a yahoo maps
request on its way to our proxy server. PCAP attached. Any ideas?

------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

  By Date           By Thread  

Current thread:
  • FP? 1675 Chris Stevens (Oct 20)
    • Re: FP? 1675 Alex Kirk (Oct 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]