I agree. This is my idea:
pcre:"/grant[/s]+([/w]+[/s]+){1,11}to[/s]+/i"
The 1,11 comes from the following cases:
grant all_customer to Matt;
grant select , delete , update , create , insert on
customer to Matt;
Peace,
Joseph
--- Matthew Jonkman <matt@infotex.com> wrote:
Getting a lot off false positives on sid 1690,
Oracle Grant Attempt.
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS
$ORACLE_PORTS (msg:"ORACLE
grant attempt"; flow:to_server,established;
content:"grant "; nocase;
content:" to "; nocase;
classtype:protocol-command-decode; sid:1690; rev:3;)
Anytime an oracle data stream contains the word
Grant (as in Grant
street, John Grant, "These funds have been granted
to", etc) the rule is
hitting. Maybe a pcre string to look specifically
for permission grants
or something. Maybe a within statement to keep the
"to" shortly after
the grant. But just "grant" and "to" is pretty
non-unique.
Matt
-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you
noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the
past few weeks? Now,
one more big change to announce. We are now OSTG-
Open Source Technology
Group. Come see the changes on the new OSTG site.
www.ostg.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
