On Oct 22, 2004, at 2:20 PM, nnposter wrote:
By no means I would see myself as an expert on SQL*Net but I have
a suspicion that 2650 has a false positive because it looks for user
name header "(user=" and then for a non-presence of a double quote.
My speculation is that it should be perhaps looking for a non-presence
of a closing parenthesis.
Yeah, send me this the pcap please. I wrote a *very* small subset
SQL*Net implementation a long time ago. Most of my knowledge of
SQL*Net is from the research I did building that implementation. I
could have got this bit wrong. Since I don't have a production oracle
environment, some of these might get false positives.
Much of the work we've done with the oracle rules has been done by Judy
Novak & Alex Kirk (both of Sourcefire), doing the function by function
validation of overflows & finding the breaking point for each function.
I just figured out a good way to thunk all of the attack vectors for
each broken function into one rule and wrote the code that turns their
output into rules. We have a few hundred rules that were built this
way. In fact, all but a handful of the oracle rules.
If you have any issues with any of the oracle overflows, please let me
know so I can correct the issue asap, since the same issue probably
affects the couple hundred rules as well.
Thanks,
Brian
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
