RE: Nessus paid me a visit.

From: Courtney Llamas <courtney.llamas_at_oracle.com>
Date: Wed, 5 Aug 2015 07:48:36 -0700 (PDT)
Message-ID: <f4b1a40a-5a3b-4db1-8522-d8c3b3187bb3_at_default>

While OEM isn't made for "intrusion detection", there are probably some alerts you could get that might tip you off. what were the messages you saw in listener.log?

In 12c, Listener metrics are reponse time, status and messages of TNS-[ ]*0*(1169|1189|12508|1190). Then, you'd have to be sending notifications or creating incidents on the listener target as well to actually see these on the console or in email/ticket. A lot of people don't do that, and only monitor status/availability of the listener.

In all metrics - there's also Connections Refused collected, but no thresholds available. You could create a repository side metric extension on this to alert if it exceeds a value. I'd be interested to know what this chart looks like for that time period.

From: Chris Grabowy [mailto:cgrabowy_at_gmail.com] Sent: Wednesday, August 05, 2015 9:03 AM To: oracle-l
Subject: Nessus paid me a visit.

Folks,

So last night I happened to come across a series of messages in listener.log which I looked into and determined that Nessus was probing the listener, etc.

I contacted the security team and they confirmed it was there software coming from there server.

I am happy that they are doing this and I look forward to the results. And we'll change and lock down whatever.

However I must admit that I am a bit freaked out. "Something" was happening and I was not "alerted" to it by OEM or some other monitoring software. I'm not blaming OEM. Perhaps I need to configure something for OEM to report that.

For next year's budget I had asked for Audit Vault and Database Firewall. I can't say for a fact that this product would help or not for this particular situation since I am not 100% familiar with the product.

Perhaps others are using Audit Vault and Database Firewall and it reports this kind of probing? Or perhaps OEM can be configured to report this kind of probing?

Anyway, I am open to any feedback.

Thanks,

Chris Grabowy

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Aug 05 2015 - 16:48:36 CEST

This message: [ Message body ]
Next message: Zwettler Markus (OIZ): "Monitoring of Oracle Standard Edition"
Previous message: Patrick Jolliffe: "Re: Strange Behaviour (with Test Case)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message