Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Oracle SQL Obfuscation Rule

From: Nicholas Mavis <nmavis () sourcefire com>
Date: Tue, 22 Oct 2013 17:59:14 -0400
I noticed that in the ruleset, we currently have a rule looking for MS
SQL obfuscation with a string of char()'s. However, we do not have a
rule for the Oracle version, chr(). I've altered the original rule to
the following:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"INDICATOR-OBFUSCATION large number of calls to chr function";
flow:established,to_server; content:"GET"; http_method;
content:"CHR("; nocase; http_uri;
pcre:"/CHR\(.*?CHR\(.*?CHR\(.*?CHR\(.*?CHR\(/smiU"; metadata:service
http; classtype:web-application-attack;)

Thanks,
Nick Mavis

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: