Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe
| ./snortrules-COMM-2.4/rules/community-oracle.rules Fri Dec 2 01:26:29 2005 | |
|---|---|
| Filename : line | Rules |
| ./snortrules-COMM-2.4/rules/community-oracle.rules : 1 | # Copyright 2005 Sourcefire, Inc. All Rights Reserved.
|
| ./snortrules-COMM-2.4/rules/community-oracle.rules : 2 | # These rules are licensed under the GNU General Public License.
|
| ./snortrules-COMM-2.4/rules/community-oracle.rules : 3 | # Please see the file LICENSE in this directory for more details.
|
| ./snortrules-COMM-2.4/rules/community-oracle.rules : 4 | # $Id: community-oracle.rules,v 1.2 2005/10/13 14:16:06 akirk Exp $
|
| ./snortrules-COMM-2.4/rules/community-oracle.rules : 5 |
|
| ./snortrules-COMM-2.4/rules/community-oracle.rules : 6 | alert tcp $EXTERNAL_NET any - > $SQL_SERVERS 3339 (msg:"COMMUNITY ORACLE TNS Listener shutdown via iSQLPlus attempt"; flow:to_server,established; content:"isqlplus"; nocase; content:"COMMAND"; nocase; distance:0; content:"STOP"; nocase; distance:0; content:"LISTENER"; nocase; distance:0; pcre:"/isqlplus\x2F[^\r\n]*COMMAND\s*\x3D\s*STOP[^\r\n\x26]*LISTENER/si"; reference:bugtraq,15032; reference:url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html; classtype:attempted-user; sid:100000166; rev:1;)
|