GROUP_NAME=ORACLE
GROUP_DESCRIPTION=These sigs detect unusual, possibly malicious Oracle database queries/traffic.  NOTE they currently use port 1521.  That is the default port for Oracle's main listener, but it might easily have been changed by local DBAs.  It would be better to define a local COMPLEX port entry, such as 'O', which listed all ports used by Oracle servers within your organization.
# $Id: ORACLE.lib,v 1.3 2006/05/19 15:10:31 hlein Exp $

NAME=ORACLE:NMAP
SIGNATURE=T D A S 40 100 1521 ORACLE:NMAP connect/5fdata/3d/28command/3dversion/29/29
DESCRIPTION=The "+V" version of nmap attempts to banner-grab or otherwise fingerprint services it finds running.  This signature alerts on the default Oracle-detection banner sent by nmap+V.
MODIFIED=Y
DISABLED=N

##NAME=ORACLE:LOGIN
##SIGNATURE=T D A S 1 250 1521 ORACLE:LOGIN description/3d/28connect/5fdata
##DESCRIPTION=This signature logs all Oracle logins.  It will by design generate a lot of noise, and its use is not recommended unless you really wish to log *every* Oracle login.

NAME=ORACLE:LOGIN-MISPARSE
SIGNATURE=T D A S 10 250 1521 ORACLE:LOGIN-MISPARSE description/3d/28 ! ( connect/5fdata/3d/28sid/3d , address , source_route )
DESCRIPTION=This signature alerts on Oracle logins which do not parse according to the expected format.  Because they do not parse as expected, other signatures which check Oracle logins may miss bogus or failed login attempts.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:SELECT-UNION
SIGNATURE=T D A S 10 400 1521 ORACLE:SELECT-UNION select/20 , /20union/20
DESCRIPTION=This signature detects SQL statements containing a UNION clause.  Such statements may be a sign of an attacker attempting to insert arbitrary SQL into an existing query.  Note that this signature may generate false positives as certain (interactive) Oracle client tools perform SELECT ... UNION queries against the NLS_PARAMETERS system table at startup.  This signature may need to be updated or disabled if a high false-positive rate of NLS_PARAMETERS queries are logged.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:SELECT-PCT
SIGNATURE=T D A S 10 300 1521 ORACLE:SELECT-PCT select/20 , like/20/27/25/27
DESCRIPTION=This signature alerts on select statements containing a where clause in which a LIKE comparison is done against '%'.  Since % is an SQL wildcard, such a query will match anything--the WHERE clause is always true.  This may be a sign of an attacker attempting to dump all records from a table by inserting arbitrary SQL into an existing query.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:SELECT-PCT2
SIGNATURE=T D A S 10 300 1521 ORACLE:SELECT-PCT2 select/20 , like/20/22/25/22
DESCRIPTION=This signature alerts on SELECT statements containing a WHERE clause in which a LIKE comparison is done against "%".  Since % is an SQL wildcard, such a query will match anything--the WHERE clause is always true.  This may be a sign of an attacker attempting to dump all records from a table by inserting arbitrary SQL into an existing query.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:SELECT-REFLEXIVE
SIGNATURE=T D A S 10 300 1521 ORACLE:SELECT-REFLEXIVE select/20 , /201/3d1$
DESCRIPTION=This signature alerts on SELECT statements containing a WHERE clause checking for 1=1.  Since this will always be true, this may be a sign of an attacker attempting to dump all records from a table by inserting arbitrary SQL into an existing query.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:SELECT-REFLEXIVE2
SIGNATURE=T D A S 10 300 1521 ORACLE:SELECT-REFLEXIVE2 select/20 , /27A/27/3d/27A/27
DESCRIPTION=This signature alerts on SELECT statements containing a WHERE clause checking for 'A'='A'.  Since this will always be true, this may be a sign of an attacker attempting to dump all records from a table by inserting arbitrary SQL into an existing query.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:SELECT-REFLEXIVE3
SIGNATURE=T D A S 10 300 1521 ORACLE:SELECT-REFLEXIVE3 select/20 , /22A/22/3d/22A/22
DESCRIPTION=This signature alerts on SELECT statements containing a WHERE clause checking for "A"="A".  Since this will always be true, this may be a sign of an attacker attempting to dump all records from a table by inserting arbitrary SQL into an existing query.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:DESCRIBE
SIGNATURE=T D A S 10 150 1521 ORACLE:DESCRIBE describe/20
DESCRIPTION=This signature alerts on SQL 'DESCRIBE' queries.  Such queries can be used to enumerate databases, tables, table structures, etc of the Oracle database.  No "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to survey the database.  Note however that this signature is fairly unspecific, so it may cause false positives.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:ALL_TABLES
SIGNATURE=T D A S 40 200 1521 ORACLE:ALL_TABLES all/5ftables
DESCRIPTION=This signature alerts on SQL queries referencing the ALL_TABLES Oracle keyword.  Such queries can be used to enumerate databases, tables, table structures, etc of the Oracle database.  No "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to survey the database.  Note however that this signature is fairly unspecific, so it may cause false positives.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:ALL_TAB_COLUMNS
SIGNATURE=T D A S 40 200 1521 ORACLE:ALL_TAB_COLUMNS all/5ftab/5fcolumns
DESCRIPTION=This signature alerts on SQL queries referencing the ALL_TAB_COLUMNS Oracle keyword.  Such queries can be used to enumerate databases, tables, table structures, etc of the Oracle database.  No "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to survey the database.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:ALL_TAB_PRIVS
SIGNATURE=T D A S 40 200 1521 ORACLE:ALL_TAB_PRIVS all/5ftab/5fprivs
DESCRIPTION=This signature alerts on SQL queries referencing the ALL_TAB_PRIVS Oracle keyword.  Such queries can be used to enumerate databases, tables, table structures, etc of the Oracle database.  No "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to survey the database.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:ALL_SOURCE
SIGNATURE=T D A S 40 200 1521 ORACLE:ALL_SOURCE all/5fsource
DESCRIPTION=This signature alerts on SQL queries referencing the ALL_SOURCE Oracle keyword.  Such queries can be used to enumerate databases, tables, table structures, etc of the Oracle database.  No "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to survey the database.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:ALL_VIEWS
SIGNATURE=T D A S 40 200 1521 ORACLE:ALL_VIEWS all/5fviews
DESCRIPTION=This signature alerts on SQL queries referencing the ALL_VIEWS Oracle keyword.  Such queries can be used to enumerate databases, tables, table structures, etc of the Oracle database.  Some applications may issue such queries, but they typically do not.  This may be a sign of an attacker who has gained raw database access attempting to survey the database.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:ALL_CONSTRAINTS
SIGNATURE=T D A S 40 200 1521 ORACLE:ALL_CONSTRAINTS all/5fconstraints
DESCRIPTION=This signature alerts on SQL queries referencing the ALL_CONSTRAINTS Oracle keyword.  Such queries can be used to enumerate databases, tables, table structures, etc of the Oracle database.  Some applications may issue such queries, but they typically do not.  This may be a sign of an attacker who has gained raw database access attempting to survey the database.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:DBA_TABLES
SIGNATURE=T D A S 40 200 1521 ORACLE:DBA_TABLES dba/5ftables ! ( pace )
DESCRIPTION=This signature alerts on SQL queries referencing the DBA_TABLES Oracle keyword.  Such queries can be used to enumerate databases, tables, table structures, etc of the Oracle database.  No "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to survey the database.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:DBA_TABLESPACE
SIGNATURE=T D A S 40 200 1521 ORACLE:DBA_TABLESPACE dba/5ftablespace
DESCRIPTION=This signature alerts on SQL queries referencing the DBA_TABLESPACE Oracle keyword.  Such queries can be used to enumerate databases, tables, table structures, etc of the Oracle database.  No "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to survey the database.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:USER_TABLES
SIGNATURE=T D A S 40 200 1521 ORACLE:USER_TABLES user/5ftables ! ( pace )
DESCRIPTION=This signature alerts on SQL queries referencing the USER_TABLES Oracle keyword.  Such queries can be used to enumerate databases, tables, table structures, etc of the Oracle database.  No "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to survey the database.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:USER_TABLESPACES
SIGNATURE=T D A S 40 200 1521 ORACLE:USER_TABLESPACES user/5ftablespace
DESCRIPTION=This signature alerts on SQL queries referencing the USER_TABLESPACES Oracle keyword.  Such queries can be used to enumerate databases, tables, table structures, etc of the Oracle database.  No "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to survey the database.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:SYS-ALL_USERS
SIGNATURE=T D A S 40 200 1521 ORACLE:SYS-ALL_USERS sys/2eall/5fusers
DESCRIPTION=This signature alerts on SQL queries referencing the SYS.ALL_USERS Oracle keyword.  Such queries can be used to enumerate databases, tables, table structures, etc of the Oracle database.  No "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to survey the database.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:GRANT
SIGNATURE=T D A S 60 150 1521 ORACLE:GRANT grant/20 , /20to/20
DESCRIPTION=This signature alerts on SQL GRANT queries.  Such queries are be used to manipulate user rights for the Oracle database.  No "canned" applications should issue such queries, so this may be a sign of an attacker who has the ability to issue arbitrary SQL statements to gain further access to the database.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:PASSWD-CHANGE
SIGNATURE=T D A S 60 200 1521 ORACLE:PASSWD-CHANGE alter/20user , identified/20by
DESCRIPTION=This signature alerts on SQL ALTER USER queries.  Such queries can be used to change user passwords and manipulate user rights for the Oracle database.  No "canned" applications should issue such queries, so this may be a sign of an attacker who has the ability to issue arbitrary SQL statements to gain further access to the database.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:TABLE-DROP
SIGNATURE=T D A S 60 200 1521 ORACLE:TABLE-DROP drop/20table
DESCRIPTION=This signature alerts on SQL DROP TABLE queries.  With the possible exception of temporary tables they create (which is not commonly done), no "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to destroy data.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:TABLE-CREATE
SIGNATURE=T D A S 60 200 1521 ORACLE:TABLE-CREATE create/20table
DESCRIPTION=This signature alerts on SQL CREATE TABLE queries.  With the possible exception of temporary tables they create (which is not commonly done), no "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to manipulate the database.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:TABLE-ALTER
SIGNATURE=T D A S 60 200 1521 ORACLE:TABLE-ALTER alter/20table
DESCRIPTION=This signature alerts on SQL ALTER TABLE queries.  With the possible exception of temporary tables they create (which is not commonly done), no "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to manipulate the database or destroy data.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:TABLE-TRUNCATE
SIGNATURE=T D A S 60 200 1521 ORACLE:TABLE-TRUNCATE truncate/20table
DESCRIPTION=This signature alerts on SQL TRUNCATE TABLE queries.  With the possible exception of temporary tables it creates (which is not commonly done), no "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to destroy data.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:DATABASE-DROP
SIGNATURE=T D A S 60 200 1521 ORACLE:DATABASE-DROP drop/20table
DESCRIPTION=This signature alerts on SQL DROP TABLE queries.  With the possible exception of temporary databases it creates (which is not commonly done), no "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to destroy data.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:DATABASE-CREATE
SIGNATURE=T D A S 60 200 1521 ORACLE:DATABASE-CREATE create/20database
DESCRIPTION=This signature alerts on SQL CREATE DATABASE queries.  With the possible exception of temporary databases it creates (which is not commonly done), no "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to manipulate the database.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:DATABASE-ALTER
SIGNATURE=T D A S 60 200 1521 ORACLE:DATABASE-ALTER alter/20database
DESCRIPTION=This signature alerts on SQL ALTER DATABASE queries.  With the possible exception of temporary tables it creates (which is not commonly done), no "canned" applications should issue such queries, so this may be a sign of an attacker who has gained raw database access attempting to manipulate the database or destroy data.
MODIFIED=Y
DISABLED=N

NAME=ORACLE:EXECUTE_SYSTEM
SIGNATURE=T D A S 60 200 1521 ORACLE:EXECUTE_SYSTEM execute/5fsystem
DESCRIPTION=This signature alerts on attempts to access the 'EXECUTE_SYSTEM' stored procedure.  This stored procedure is not installed by default, but is a common add-on for Oracle systems.  It allows a client to issue operating system commands on the Oracle database server host.  This may be a sign of an attacker who has gained raw database access attempting to find a way to take control of and subvert the Oracle server.
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-RPT-SLASH
SIGNATURE=T D A S 40 300 W WEB:ORACLE-RPT-SLASH /2frwservlet/3f , report/3d/2f
DESCRIPTION=This signature alerts on attempts to run an arbitrary executable via Oracle Reports on UNIX by pointing to a file by absolute path, starting with a slash.  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-RPT-DOTDOT
SIGNATURE=T D A S 40 300 W WEB:ORACLE-RPT-DOTDOT /2frwservlet/3f , report/3d/2e/2e
DESCRIPTION=This signature alerts on attempts to run an arbitrary executable via Oracle Reports on UNIX or Windows by pointing to a file by relative path, starting with .. (dot dot).  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-RPT-DRIVE
SIGNATURE=T D A S 40 300 W WEB:ORACLE-RPT-DRIVE /2frwservlet/3f , report/3d*/3a/5c
DESCRIPTION=This signature alerts on attempts to run an arbitrary executable via Oracle Reports on Windows by pointing to a file by absolute path, starting with Driveletter:\.  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-FRM-SLASH
SIGNATURE=T D A S 40 300 W WEB:ORACLE-FRM-SLASH /2ff90servlet/3f , form/3d/2f
DESCRIPTION=This signature alerts on attempts to run an arbitrary executable via Oracle Forms on UNIX by pointing to a form file by absolute path, starting with a slash.  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_forms_run_any_os_command.html
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-FRM-DOTDOT
SIGNATURE=T D A S 40 300 W WEB:ORACLE-FRM-DOTDOT /2ff90servlet/3f , form/3d/2e/2e
DESCRIPTION=This signature alerts on attempts to run an arbitrary executable via Oracle Forms on UNIX or Windows by pointing to a form file by relative path, starting with .. (dot dot).  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_forms_run_any_os_command.html
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-FRM-DRIVE
SIGNATURE=T D A S 40 300 W WEB:ORACLE-FRM-DRIVE /2ff90servlet/3f , form/3d*/3a/5c
DESCRIPTION=This signature alerts on attempts to run an arbitrary executable via Oracle Forms on Windows by pointing to a form file by absolute path, starting with Driveletter:\.  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_forms_run_any_os_command.html
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-FRM-MOD-SLASH
SIGNATURE=T D A S 40 300 W WEB:ORACLE-FRM-MOD-SLASH /2ff90servlet/3f , module/3d/2f
DESCRIPTION=This signature alerts on attempts to run an arbitrary executable via Oracle Forms on UNIX by pointing to a module by absolute path, starting with a slash.  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_forms_run_any_os_command.html
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-FRM-MOD-DOTDOT
SIGNATURE=T D A S 40 300 W WEB:ORACLE-FRM-MOD-DOTDOT /2ff90servlet/3f , module/3d/2e/2e
DESCRIPTION=This signature alerts on attempts to run an arbitrary executable via Oracle Forms on UNIX or Windows by pointing to a module by relative path, starting with .. (dot dot).  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_forms_run_any_os_command.html
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-FRM-MOD-DRIVE
SIGNATURE=T D A S 40 300 W WEB:ORACLE-FRM-MOD-DRIVE /2ff90servlet/3f , module/3d*/3a/5c
DESCRIPTION=This signature alerts on attempts to run an arbitrary executable via Oracle Forms on Windows by pointing to a module by absolute path, starting with Driveletter:\.  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_forms_run_any_os_command.html
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-RPT-DESFMT-SLASH
SIGNATURE=T D A S 40 300 W WEB:ORACLE-RPT-DESFMT-SLASH /2frwservlet/3f , desformat/3d/2f
DESCRIPTION=This signature alerts on attempts to read an arbitrary file via Oracle Reports on UNIX by pointing to a format file by absolute path, starting with a slash.  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_reports_read_any_file.html
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-RPT-DESFMT-DOTDOT
SIGNATURE=T D A S 40 300 W WEB:ORACLE-RPT-DESFMT-DOTDOT /2frwservlet/3f , desformat/3d/2e/2e
DESCRIPTION=This signature alerts on attempts to read an arbitrary file via Oracle Reports on UNIX or Windows by pointing to a format file by relative path, starting with .. (dot dot).  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_reports_read_any_file.html
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-RPT-DESFMT-DRIVE
SIGNATURE=T D A S 40 300 W WEB:ORACLE-RPT-DESFMT-DRIVE /2frwservlet/3f , desformat/3d*/3a/5c
DESCRIPTION=This signature alerts on attempts to read an arbitrary file via Oracle Reports on Windows by pointing to a format file by absolute path, starting with Driveletter:\.  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_reports_read_any_file.html
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-RPT-CUST-SLASH
SIGNATURE=T D A S 40 300 W WEB:ORACLE-RPT-CUST-SLASH /2frwservlet/3f , customize/3d/2f
DESCRIPTION=This signature alerts on attempts to read an arbitrary XML file via Oracle Reports on UNIX by pointing to a customization file by absolute path, starting with a slash.  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.htmll
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-RPT-CUST-DOTDOT
SIGNATURE=T D A S 40 300 W WEB:ORACLE-RPT-CUST-DOTDOT /2frwservlet/3f , customize/3d/2e/2e
DESCRIPTION=This signature alerts on attempts to read an arbitrary XML file via Oracle Reports on UNIX or Windows by pointing to a customization file by relative path, starting with .. (dot dot).  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.htmll
MODIFIED=Y
DISABLED=N

NAME=WEB:ORACLE-RPT-CUST-DRIVE
SIGNATURE=T D A S 40 300 W WEB:ORACLE-RPT-CUST-DRIVE /2frwservlet/3f , customize/3d*/3a/5c
DESCRIPTION=This signature alerts on attempts to read an arbitrary XML file via Oracle Reports on Windows by pointing to a customization file by absolute path, starting with Driveletter:\.  Based on information in an advisory by Red Database Security.
URL=http://www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.htmll
MODIFIED=Y
DISABLED=N