CEF Certified Configuration Guide for AppSec DbProtect with Audit & Threat Management

Summary:

The document you've described appears to be a comprehensive list of audit events for a Sybase database management system, as recorded by the ArcSight system under specific IDs. These events are categorized into several types, each with its unique identifier and description. Here’s a summary breakdown of these categories and their associated activities: ### 1. **Sybase Audit Events** (IDs starting from 3045) - **TRUNCATE TABLE**: Event ID 3134 - This event indicates that someone has performed a TRUNCATE operation on one or more tables in the database, which might suggest malicious activity if not normal for the system's usage patterns. ### 2. **Buffer Overflow Attacks** (IDs 3050 to 3053) - **XP_FREEDLL**: Event ID 3050 - This event suggests an attempt to execute the XP_FREEDLL stored procedure, which can lead to a buffer overflow and is categorized as High risk. - **DROP DATABASE**: Event ID 3051 - The dropping of a database might suggest buffer overflow in the context of database management, carrying a High risk. - **DBCC CHECKVERIFY**: Event ID 3052 - While not directly related to buffer overflow, this operation can be part of an exploit vector and is also categorized as High risk. - **SELECT ALL (Potential DoS)**: Event ID 3053 - A general SELECT statement that could potentially lead to Denial of Service (DoS) carries a Medium risk. ### 3. **Password Attacks** (IDs 3100 to 3105) - **Access Password Hashes**: Event ID 3100 - Accessing password hashes might indicate unauthorized access attempts or potential data breaches, carrying a Medium risk. - **Server Login Names**: Event ID 3101 - This event suggests accessing server login names without specific malicious intent but does not pose significant threat without further actions, categorized as Low risk. - **Scripted Password Attacks and Guessing**: Both are considered High-risk events indicating potential brute force or automated attacks against the system’s password security. ### 4. **System Events** (Various IDs) - **Database Activity Not Detected**: Event ID unspecified - This might indicate a system compromise or unmonitored activities, categorized as Low risk. - **Operational Phases**: Includes events for database start/stop, sensor status changes, and login/logout attempts each with specified risk levels ranging from Low to High depending on the context of the action taken. ### 5. **Web Application Attacks** (IDs potentially related to SQL Injection) - **Comments in SQL Statements**: Event ID unspecified - Potential indication of Application SQL Injection attack which could be categorized as Low risk if confirmed through further analysis. - **UNION Clause in SQL Queries**: This might suggest a possible SQL Injection vulnerability, also considered Low risk unless it leads to severe consequences when exploited. ### Summary: These events serve multiple purposes including security monitoring, compliance auditing, and operational management within the Sybase database environment. The "Informational" categorization implies that while these are not necessarily critical alerts, they provide valuable insights into system activities and can help in identifying potential vulnerabilities or unauthorized access attempts. Each event carries a risk level which aids in prioritizing responses to incidents detected by these audit logs.

Details:

The "Common Event Format Configuration Guide" for Application Security, Inc.'s DbProtect Audit & Threat Management provides instructions on configuring the CEF Connector for syslog event collection. This guide is intended for use with DbProtect Audit & Threat Management Sensors version 3.12 and up, supporting Windows, Linux, and Solaris platforms. The document outlines the setup process to send alerts via syslog to the ArcSight Console within the sensor configuration context. It emphasizes that detailed instructions can be found in the "DbProtect User's Guide." DbProtect Audit & Threat Management is a part of the DbProtect platform, offering comprehensive database security through discovery, vulnerability scanning, real-time audit, and threat management solutions. This document outlines the process for integrating DbProtect Audit & Threat Management with ArcSight using syslog messages. To set up this integration, you will need to configure a list of destinations for syslog alerts in the ArcSight Console. Enter the address of the ArcSight Syslog Connector and its port number (usually 514), then click "Add" to proceed. After deploying your policy, DbProtect Audit & Threat Management will display alerts in real-time within the ArcSight Console. The document also includes a screen shot from the ArcSight Console showing these alerts. It mentions that users can customize events using filters in DbProtect Audit & Threat Management for more specific monitoring. Additionally, information about how vendor-specific event definitions are sent to the ArcSight SmartConnector and mapped to ArcSight data fields is provided, along with a table listing the mappings from ArcSight data fields to supported vendor-specific event definitions used by DbProtect Audit & Threat Management. The provided information outlines the use of a map file in an ArcSight SmartConnector configuration for enriching event data with database and sensor details. This map file helps to add static information such as IP addresses or hostnames of both the target database and the device (sensor) to each event, based on the name of the database instance. The enriched fields include Device Custom String 2 (cs2), which is mapped to Destination Host Name (dhost), and Database Instance, which is mapped to Device Host Name (dvchost). These mappings are configured in a CSV format that allows for structured data storage, with each record on a separate line and fields separated by commas. The text provided discusses the CSV (Comma-Separated Values) format used for mapping data in DbProtect Audit & Threat Management from ArcSight SmartConnector to a specific database instance and sensor device. Here's a summary of the key points: 1. **File Format**: The map file uses a CSV structure with each line containing three fields separated by commas. This format is common for exchanging tabular data between different applications. 2. **Fields Description**:

• **event.deviceCustomString2**: This field acts as a lookup key and represents the user-defined database instance alias configured within the DbProtect Console. It is referred to as the "database instance" in the ArcSight Console when an event occurs.

• **set.event.destinationHostName**: This field describes the IP Address or hostname of the database instance defined in the first field, and it will be displayed in the ArcSight Console for any associated events.

• **set.event.deviceHostName**: This field indicates the IP Address or hostname of the DbProtect Audit & Threat Management Sensor monitoring the database instance, also to be displayed in the ArcSight Console when an event occurs.

3. **Example File Content**: The example provided includes a header line followed by three records each containing data for a different database:

• Header Line: `event.deviceCustomString2,set.event.destinationHostName,set.event.deviceHostName`

• Records:

``` oracle_sunny9,192.168.1.106,sensorDev101.nyc.acme.com SQL2K5_PHILLIPNI,192.168.1.108,sensorDev101.nyc.acme.com db_example_3,172.28.2.16,prd12bos.acme.com ``` The file can contain more or fewer lines depending on the number of monitored databases. For instance, if there are 10 databases being monitored, the map file would consist of 11 lines (including the header). 4. **Location and Usage**: An example map file is provided in the `Samples\CEF` directory within the installed DbProtect Console. The filename should be specified as `.csv`. This format allows for a clear organization of data related to database instances and sensors, making it easier to manage and interpret the information needed for monitoring and reporting through the ArcSight SmartConnector integration with DbProtect Audit & Threat Management. To summarize the given text, here are the steps to create a map file for ArcSight using DbProtect Audit & Threat Management: 1. **Set up the configuration of DbProtect Audit & Threat Management** to monitor databases. Refer to the DbProtect User’s Guide for detailed instructions on configuring this tool. 2. **Extract map information from the DbProtect Console database**: Use a standard SQL client like SQL Server Management Studio, connect with appropriate credentials (or ask your administrator if you don't have them). Execute the SQL query provided to extract data: ```sql SELECT 'event.deviceCustomString2' AS cs2, 'set.event.destinationHostName' AS dhost, 'set.event.deviceHostName' AS dvchost UNION SELECT sa.alias, REPLACE(saa.hostname, '127.0.0.1', ss.hostname), ss.hostname AS 'dvchost' FROM AppDetective..sensor_app_aliases saa INNER JOIN AppDetective..sensor_apps sa ON saa.app_inst_id = sa.app_inst_id INNER JOIN AppDetective..sensors ss ON sa.sensor_id = ss.sensor_id ``` 3. **Create the map file** in Comma Separated Values (CSV) format using the extracted information. 4. Place the created map file, named `ar_sample.csv`, in the specified directory of the ArcSight SmartConnector: `\AppSecInc\Resources\Samples\CEF`. This process involves setting up database monitoring and extracting specific data for mapping purposes before formatting it into a CSV file that can be used by the ArcSight SmartConnector. To summarize the provided text, it outlines a process for saving and updating map files used in an ArcSight SmartConnector configuration. Here's a breakdown of the steps: 1. **Saving Results as CSV File**: The results from a query can be saved directly to a CSV file format by right-clicking on the result set, which brings up a dialog box asking where to save the file named "ar.csv". This file should be saved in the specific directory of the ArcSight SmartConnector installation path: `\current\user\agent\acp\categorizer\current\asi\a`. 2. **Placing the Map File**: The map file needs to be copied and placed in the specified directory mentioned above. If the directory does not exist, it should be created. Once added to this location, configuration is complete. 3. **Updating the Map File**: Updates are necessary when a new database target is configured or if there are modifications to the IP Address/hostname of existing monitored entities (like sensors). The map file can be manually updated or recreated following previous steps, and it should replace the old one at: `\current\user\agent\acp\categorizer\current\asi\a`. 4. **Map File Contents**: As an appendix, the text provides a sample of what information might be contained in the map file for database categories and their associated events, showing IDs, names, and risk levels for specific audit events from DB2 databases. This summary captures the essential steps involved in setting up or updating map files within ArcSight SmartConnector configurations, emphasizing the importance of saving and maintaining these files in designated directories as per the software's structure. The provided text lists a series of DB2 audit events with their respective IDs and descriptions, all marked as "Informational" in the DB2 Audit Events category. Here is a summary of each event:

• **DB2 Audit Events 3507**: Stored procedure executed.

• **DB2 Audit Events 3508**: CREATE FUNCTION statement (used to create user-defined functions).

• **DB2 Audit Events 3509**: CREATE INDEX statement (creates an index on one or more columns in a table for faster retrieval of data).

• **DB2 Audit Events 3510**: CREATE TRIGGER statement (defines actions to be taken automatically when specific events occur within the database, such as inserting, updating, or deleting records).

• **DB2 Audit Events 3511**: CREATE VIEW statement (creates a virtual table based on the result of a SQL query).

• **DB2 Audit Events 3512**: ALTER FUNCTION statement (modifies an existing function).

• **DB2 Audit Events 3513**: ALTER PROCEDURE statement (used to modify stored procedures).

• **DB2 Audit Events 3515**: ALTER VIEW statement (changes the definition of a view).

• **DB2 Audit Events 3516**: DROP FUNCTION statement (deletes an existing function).

• **DB2 Audit Events 3517**: DROP INDEX statement (removes an index from a table).

• **DB2 Audit Events 3518**: DROP TABLE statement (deletes an entire table and all its data).

• **DB2 Audit Events 3519**: DROP TRIGGER statement (deactivates or removes a trigger).

• **DB2 Audit Events 3520**: DROP VIEW statement (removes a view from the database).

• **DB2 Audit Events 3522**: ALTER TABLE statement (modifies an existing table, such as adding columns or changing constraints).

• **DB2 Audit Events 3532**: Login attempt - failed (indicates an unsuccessful login attempt to the DB2 database).

• **DB2 Audit Events 3535**: CREATE TABLESPACE statement (creates a new tablespace for storing data files).

• **DB2 Audit Events 3536**: ALTER TABLESPACE statement (modifies existing tablespace settings).

• **DB2 Audit Events 3537**: CREATE SCHEMA statement (defines a new schema within the database).

• **DB2 Audit Events 3538**: DROP TABLESPACE Statement (deletes an existing tablespace).

• **DB2 Audit Events 3539**: DROP SCHEMA Statement (removes a schema and all its objects from the database).

• **DB2 Audit Events 3540**: DROP PROCEDURE Statement (deletes a stored procedure).

• **DB2 Audit Events 3541**: CREATE METHOD Statement (creates a method, which is similar to a function but specific to object-oriented databases).

• **DB2 Audit Events 3542**: ALTER METHOD Statement (modifies an existing method).

• **DB2 Audit Events 3543**: DROP METHOD Statement (deletes a method from the database).

• **DB2 Audit Events 3544**: CREATE TYPE Statement (defines a new type, which can be used to structure data in a more organized way).

• **DB2 Audit Events 3545**: ALTER TYPE Statement (modifies an existing type definition).

• **DB2 Audit Events 3546**: DROP TYPE Statement (deletes a user-defined type).

• **DB2 Audit Events 3547**: CREATE SEQUENCE Statement (creates a sequence generator for generating unique values sequentially).

• **DB2 Audit Events 3548**: ALTER SEQUENCE Statement (modifies properties of an existing sequence).

• **DB2 Audit Events 3549**: DROP SEQUENCE Statement (deletes a sequence from the database).

• **DB2 Audit Events 3550**: GRANT of database authority (grants specific permissions to access or manipulate database objects, such as tables or procedures).

These events are used in DB2 environments for monitoring and auditing purposes, providing detailed information about user activities within the database. The provided text lists various DB2 audit events with their corresponding IDs and descriptions. Here is a summarized version of the list: 1. **DB2 Audit Events**: These are categorized based on specific actions taken within the DB2 database, such as granting privileges or altering settings. Each event has an ID number followed by a brief description indicating what type of action was performed. The descriptions include events like "GRANT of EXECUTE privilege," "GRANT of schema privilege," and more. Some examples are:

• **3551**: GRANT of EXECUTE privilege (Informational)

• **3552**: GRANT of schema privilege (Informational)

• **3553**: GRANT of table, view or nickname privilege (Informational)

• **3554**: REVOKE Statement (Informational)

• **3562**: WITH GRANT OPTION Statement (Informational)

• **3571**: ALTER DATABASE Statement (Informational)

• **3572**: ALTER BUFFERPOOL Statement (Informational)

• **3573**: CREATE ALIAS Statement (Informational)

• **3574**: CREATE BUFFERPOOL Statement (Informational)

• **3575**: CLOSE Statement (Informational)

• **3576**: SET PATH Statement (Informational)

• **3577**: SET SCHEMA Statement (Informational)

• **3578**: ADMIN_CMD procedure (Network-based Informational Sensor)

• **3579**: ALTOBJ procedure (Network-based Sensor) (Informational)

• **3580**: AM_SAVE_TASK Procedure (Informational)

• **3581**: AM_DROP_TASK Procedure (Informational)

• **3586**: SET_ROUTINE_OPTS procedure (Informational)

• **3589**: ADMIN_LIST_HIST function (Informational)

• **3590**: REG_LIST_VARIABLES Function (Informational)

• **3592**: ALTER Statement (Informational)

• **3593**: ALLOCATE CURSOR Statement (Informational)

• **3594**: COMMENT Statement (Informational)

• **3595**: CREATE Statement (Informational)

• **3596**: DROP Statement (Informational)

• **3597**: GRANT Statement (Informational)

• **3598**: RENAME Statement (Informational)

• **3599**: LOCK TABLE Statement (Informational)

• **3600**: ROLLBACK Statement (Informational)

Each event is associated with a specific action and is marked as informational, meaning it provides non-critical information about the actions taken in the DB2 database. The descriptions are useful for understanding what operations have been performed or attempted on the database, which can be crucial for auditing purposes and security analysis. The provided text appears to be a summary of audit events and related information, specifically related to DB2 database management system. It lists various audit events such as SET, DECLARE, OPEN, COMMIT, FETCH statements, and more, along with their associated IDs. These are categorized under either "DB2 Audit Events" or "DB2 Buffer overflow," each given a specific ID number which seems to be standardized for identification purposes. Additionally, there is another section titled "ArcSight Technical Note – Contains Confidential and Proprietary Information" which references an Event Interoperability Standard. This standard appears to categorize events into a Database Category with IDs such as 3523, 3524, and others listed under the subheadings of "Risk." The risks associated with these categories are mostly categorized as "High," indicating significant potential impact on system integrity or availability. For instance, buffer overflows in various functions (e.g., CONNECT/ATTACH, stored procedures) are considered high risk due to their potential for denial of service and other severe consequences. Similarly, unsupported database versions are also flagged as high risk because they can lead to unstable operations and potentially significant data loss or corruption. Dereference a null pointer in certain functions like to_date() or to_char(), which could be part of complex applications involving date conversions or character handling, is another high-risk category indicating potential software bugs or vulnerabilities that need immediate attention. In summary, the text outlines various audit events and their associated IDs used for identifying different types of activities within a DB2 database environment. The categorization into buffer overflows and other miscellaneous risks highlights areas where security concerns are particularly acute due to high impact on system functionality. This information is crucial for understanding potential threats and vulnerabilities in IT infrastructures, enabling appropriate preventive actions or mitigation strategies to be implemented based on the identified risk levels. This document outlines a variety of security incidents and vulnerabilities identified by the Network-based Sensor in various databases, as well as some host-based sensor observations from Microsoft SQL Server 2000. The incidents are categorized based on their nature and potential impact, ranging from low to high risk. Here's a summary of each entry: 1. **DB2 Miscellaneous 3623**: This vulnerability involves the execution of arbitrary code using High-level procedures (ADMIN_SP_C/ADMIN_SP_C2) in a Network-based Sensor. The attack can be initiated remotely, potentially leading to significant system compromise. 2. **DB2 Miscellaneous 3624**: Another instance of arbitrary code execution is reported via the High DNET_INSTALLASSEMBLY procedure, also from a Network-based Sensor. This could lead to unauthorized access and manipulation of the system. 3. **DB2 Miscellaneous 3625**: Denial of Service (DoS) is caused by the stored procedure REMOVE_JAR in a Network-based Sensor. The attack disrupts service availability without necessarily compromising data or gaining elevated privileges. 4. **DB2 Miscellaneous 3629 and 3630**: These entries highlight buffer overflow vulnerabilities associated with the XMLQUERY and XMLEXISTS functions, respectively, also from a Network-based Sensor. This issue can be exploited to execute arbitrary code, posing significant risks. 5. **DB2 Password Vulnerabilities (3527, 3531, 3533, 3534)**: These relate to default passwords for known accounts and password attacks on database tables. The risk level varies from High (for scripted attacks) to Medium (for guessing methods), indicating the importance of enforcing strong authentication mechanisms. 6. **DB2 Privilege 3565**: Arbitrary file creation using XML Extender escalates privileges, potentially leading to unauthorized access and system manipulation. This is considered a high-risk event due to its potential for significant damage if exploited. 7. **DB2 System Events (175, 3567, 3568)**: These are related to database activity not being detected or issues with the sensor itself, indicating possible system misconfigurations or incomplete setup. The risk levels range from Low to High, highlighting the need for proper monitoring and maintenance of such systems. 8. **Microsoft Accessing OS (48, 54, 60, 78, 86)**: These are related to unauthorized access attempts on operating system resources through SQL queries. The risks vary from reading sensitive files (High) to using extended stored procedures (Low), indicating the importance of controlling and monitoring such activities. 9. **Microsoft Audit Events (57, 58, 76, 87, 88)**: These involve issues with auditing settings or unauthorized access attempts related to SQL Server 2000. The risks are moderate in some cases (like disabling audit settings), but can become significant if not addressed properly. Overall, these entries underscore the importance of maintaining robust security practices and configurations across all database and operating systems used within an organization. Failure to do so could lead to unauthorized access, data breaches, and system compromise, with potential severe consequences for business operations and integrity. The provided text lists a series of Microsoft SQL Server audit events, each identified by a unique number and categorized under the "Event Interoperability Standard" in an ArcSight Technical Note. These events are used to track activities such as database creation, modification, and deletion processes, including CREATE (create), ALTER (modify), and DROP (delete) operations for various objects like tables, views, procedures, functions, triggers, rules, indexes, databases, defaults, and user permissions. The audit events range from 89 to 114 and are marked as Informational in nature, which suggests that they are used primarily for monitoring and reporting purposes within the SQL Server environment. This document, titled "ArcSight Technical Note – Contains Confidential and Proprietary Information," provides a comprehensive list of audit event categories in Microsoft SQL Server 2000 related to user management and object access. The events are categorized by their type (e.g., UPDATE, DELETE, GRANT, REVOKE) and the nature of the action taken (standard or denied). Key details include:

• **Database Category ID**: A unique identifier for each audit event that helps in systematic tracking and analysis.

• **Name**: The specific name of the audit event, which clearly indicates what type of activity is being audited.

• **Risk Level**: Not explicitly mentioned but can be inferred from the "Informational" label, suggesting low to no risk unless misused or abused by an unauthorized user.

• **Event Types**:

• User table (UPDATE, DELETE): Audits changes made to user data in SQL Server tables.

• System table (UPDATE, DELETE): Monitors modifications to system configuration and settings within the database.

• Application role enabled: Records when application roles are activated or configured.

• Statement permission granted/revoked/denied: Tracks permissions given or removed for executing specific SQL statements in the database.

• Object permission granted/revoked/denied: Monitors actions related to granting, revoking, or denying access to database objects such as tables, views, stored procedures, etc.

• Login events (standard and Windows): Records successful or failed login attempts by users and types of authentication failures.

• Database user creation and revocation: Tracks the addition and removal of database users within SQL Server.

• Server role management: Audits changes to server roles that control access and permissions on the server level.

These audit events are crucial for maintaining security, compliance, and auditing requirements in an enterprise environment where multiple users manage and interact with databases. This text appears to be related to auditing events in Microsoft SQL Server 2000, specifically the creation of audit logs for various activities. Here's a summarized version of the provided information:

• **Audit Event Types:**

1. **Database Role Operations:**

• **Dropped:** Dropping a database role (Event 136) is considered informational.

• **Added:** Adding a user to a database role (Event 137) is informational.

• **Dropped:** Removing a user from a database role (Event 138) is informational.

2. **Login Attempts:**

• **Failed Login Attempts:** Failed login attempts are recorded as informational events (Event 139).

• **Successful Login Attempts:** Successful logins are also recorded as informational events (Event 140).

3. **Traces and Auditing:**

• **Trace Start:** Starting a trace is considered informational (Event 141).

• **Trace Stop:** Stopping a trace is considered informational (Event 142).

4. **SQL Statements and Procedures:**

• **SQL Statements:** Execution of SQL statements is recorded as informational (Event 143).

• **Extended Stored Procedures:** Executing extended stored procedures is also recorded as informational (Event 144).

5. **Database Management:**

• **Backup Operations:** Database backups are considered informational (Event 145 and Event 146).

• **DBCC Commands:** Running DBCC commands results in an informational event (Event 147).

• **Access to System Tables:** Direct access to system tables is recorded as informational (Event 148).

6. **Network Configuration:**

• **Allowing Remote Access:** Allowing remote access to the server is considered informational (Event 149).

• **Cross DB Ownership Chaining:** This feature's enabling or disabling is also informational (Event 150).

7. **Configuration and Permissions:**

• **Adhoc Queries Enabled:** Enabling ad-hoc queries is recorded as medium risk (Event 151).

8. **Access and Failures:**

• **Failed Object Access:** Failed access to objects in the database is considered informational (Event 152).

• **Direct Updates to System Tables:** Direct updates to system tables are recorded as informational (Event 153).

9. **Connectivity from Office Applications:**

• **Connectivity from Office XP Component:** This activity is logged as informational (Event 154 and Event 155).

• **Technical Notes and Confidentiality:**

• The entries are part of the Microsoft Audit Events, which also include risk assessments for each event.

• Some notes are marked as "ArcSight Technical Note" and contain confidential and proprietary information (indicated by specific numbering that continues from Event 13 to Event 20).

• These events are crucial for understanding user activities and security configurations within SQL Server environments, particularly in the context of auditing and compliance requirements.

This document outlines various audit events recorded by Microsoft SQL Server 2000, which are used to track and monitor activities such as connections, user actions like executing functions, stored procedures, and schema changes, and administrative commands. The events include details about connections from different tools (Enterprise Manager, OSQL Utility, ISQL Utility, SQL Profiler, MS Access 2000, TOAD for SQL Server, and Management Studio), as well as specific user-defined function executions, ALTER DATABASE operations, stored procedure executions, error exceptions, extended stored procedures addition, and various DDL (Data Definition Language) commands like CREATE, TRUNCATE, BULK INSERT, DENY, REVOKE, and DROP statements. These audit events are part of the Microsoft Audit Events database category, indicating potential risks associated with unauthorized access or system changes. This document contains a list of audit events recorded by Microsoft SQL Server 2000, categorized under the "Buffer Overflow" risk level. The events include both internal system commands (e.g., trace status changes, version information) and user-initiated actions (e.g., modification of login passwords). Specific buffer overflow events are numbered from 1 to 17 and involve operations such as adding extended procedures, performing bulk inserts, checking constraints, defragmenting indexes, updating usage statistics, executing format string functions, controlling queue services, creating or deleting private/queue structures, decoding commands, and more. These events are flagged with a "Low" to "High" risk level, indicating the severity of potential security implications or system impacts. The document is labeled as ArcSight Technical Note – Contains Confidential and Proprietary Information, suggesting its intended audience may have access restrictions. The provided information outlines a series of buffer overflow vulnerabilities identified in various SQL Server 2000 stored procedures. These include:

• `xp_displayqueuemesgs`: A buffer overflow issue affecting the procedure used to display queue messages, marked as high risk.

• `xp_dsninfo`, `xp_mergelineages`, `xp_oledbinfo`, `xp_proxiedmetadata`: Each of these procedures is susceptible to a buffer overflow vulnerability and is also categorized as high risk.

• Various other stored procedures such as `xp_readpkfromqueue` (with multiple instances), `xp_readpkfromvarbin`, `xp_resetqueue`, `xp_sqlinventory`, `xp_unpackcab`, `xp_updatecolvbm`, `xp_showcolv`, `xp_printstatements`, `xp_peekqueue`, and `sp_OAMethod` are also noted to have buffer overflow issues, with some being marked as high risk (e.g., `xp_execresultset`, `xp_displayparamstmt`, `sp_OAMethod`) and others potentially allowing low-risk exploitation (noted for specific parameters of `sp_OAMethod`).

These vulnerabilities pose a significant security risk, as they could allow an attacker to execute arbitrary code on the affected SQL Server systems, leading to potential unauthorized access or data leakage. The provided information outlines various vulnerabilities and security risks associated with Microsoft SQL Server 2000, as identified by the database category ID names. These include buffer overflows in stored procedures such as `sp_OAGetProperty`, `sp_OACreate`, `pwdencrypt`, `RAISERROR`, `OpenDataSource`, and others, which are considered high-risk issues due to their potential for unauthorized access or system compromise. Additionally, there are vulnerabilities related to password security (e.g., reading passwords from files or using them in scripted attacks), authentication mode changes, log erasing, ad hoc updates to the system catalog, and registry backdoors installed via SQL queries. These risks require careful management and adherence to secure practices to prevent potential data breaches and unauthorized access. This summary outlines various security vulnerabilities and events related to Microsoft SQL Server 2000, as identified by different tools and technologies. The list includes specific privilege escalation issues such as SQL injection attacks and elevation of privileges through the use of XPs (Extended Properties). Additionally, it mentions application-level attacks like data theft attempts and SQL injection via web applications. 1. **Privilege 61**: A vulnerability in sp_MSdropretry which allows for a SQL injection attack, leading to medium risk due to potential escalation of privileges. 2. **Privilege 63**: The OPENROWSET privilege can be exploited to escalate privileges, classified as high risk. 3. **Privilege 77**: Elevating privileges using XPs is identified as a high-risk vulnerability. 4. **Privilege 85**: SQL Agent privilege escalation is marked as high risk due to potential misuse in malicious activities. 5. **Privilege 201**: Local privilege escalation via Named Pipes is considered medium risk, indicating significant security implications if exploited. 6. **AppDetective series (65-73)**: These tools are used for SQL Server application detection and pen testing, with results indicating a medium risk profile. 7. **NGSSqlcrack, SQLDict, SQL Exec, NGSSquirrel, SQLScan, SQL Browser**: These specific security tools executed on SQL Server 2000 reveal medium-risk vulnerabilities related to SQL injection or other malicious activities. 8. **System Events (170-172)**: Monitoring events such as database start/stop and activity detection, with risks ranging from high when databases are started or stopped to low when no activity is detected. 9. **Web 51-81 series**: These web application vulnerabilities involve SQL injection attempts, ranging from attempted (high risk) to successful (also high risk), indicating significant threats posed by these attacks. These findings highlight the importance of continuous monitoring and updating security measures for Microsoft SQL Server environments, particularly in detecting and mitigating potential risks associated with privilege escalation and unauthorized access via SQL injection vulnerabilities. This is a list of potential security issues found in various Microsoft SQL Server applications, categorized by the specific risk level. Here's an overview: 1. **Web 82 Mismatched quotes - SQL Injection Low**: A low-risk issue where mismatched quotes might lead to SQL injection attacks on web pages. 2. **Microsoft Web 83 SET NOEXEC - SQL Injection Low**: Another low-risk scenario indicating a potential for SQL injection due to the use of `SET NOEXEC`. 3. **Web 84 Cross-site scripting Low**: Shows possible cross-site scripting (XSS) vulnerabilities in web applications that could be exploited by malicious users. 4. **Accessing OS 2000 - High risk of accessing sensitive operating system files and registry keys, but specific details are not provided. 5. **Accessing OS 2005 & up - Various high-risk actions such as reading sensitive OS files (e.g., SAM database in the registry) and using ad hoc queries with Jet, which could lead to unauthorized data access. 6. **Using Adhoc queries with Jet Medium**: A medium-risk action involving the use of unplanned SQL queries that might bypass certain security configurations. 7. **xp_cmdshell Extended Stored Procedure Low**: Indicates a potential risk due to the use of `xp_cmdshell`, which allows executing operating system commands from within SQL Server. 8. **Auditing disabled Medium**: Shows medium-risk issues related to disabling auditing features in Microsoft SQL Server, which can compromise security monitoring and incident detection. 9. **Creating new database objects (e.g., CREATE DATABASE, CREATE TABLE, CREATE VIEW, CREATE PROCEDURE, CREATE FUNCTION, CREATE TRIGGER, CREATE RULE, CREATE INDEX) is Informational risk**: These actions are considered low-risk since they involve creating standard database elements but do not inherently pose a significant threat if performed without proper authorization or in isolation. 10. **General Risk Category for Audit Events and Database Management**: Each entry under "Microsoft Audit Events" indicates a specific audit event, ranging from low to informational risk levels, reflecting different aspects of SQL Server auditing that might be misconfigured or abused. Each item is linked to the category ID and specifies whether it's related to Microsoft SQL Server 2005 & up, indicating the platform where these issues are most likely to occur. This text provides a summary of various audit events related to database operations in SQL Server, from version 2005 onwards. The events are categorized by the type of operation they represent and include details such as alterations (like ALTER PROCEDURE, ALTER FUNCTION, etc.), deletions (DROP DATABASE, DROP TABLE, etc.), and permissions grants for both user and system tables. These audit events are part of Microsoft Audit Events within the ArcSight Technical Note – Contains Confidential and Proprietary Information, focusing on Event Interoperability Standard Database Category ID Name Risk. The summarized information pertains to various audit events in Microsoft SQL Server, starting from version 2005 and up. These events are logged by the system for auditing purposes, providing detailed records of user activities such as permissions granted or revoked, login attempts, database users' creation or removal, role assignments, and failed login attempts. Each event is categorized under specific IDs (e.g., 2121-2139) and includes an informational tag indicating the nature of the event. Additionally, there are technical notes provided by ArcSight that highlight the confidentiality and proprietary nature of this information, ensuring compliance with data protection standards. This document contains a series of audit events related to SQL Server management and usage, with event numbers ranging from 2140 to 2159. These events are logged by Microsoft Audit Events in SQL Server environments starting from version 2005. The log entries provide information about various activities such as login attempts (successful or not), trace starts/stops, execution of extended stored procedures, database backups and restores, DBCC commands, direct access to system tables, remote access settings, changes in ownership chaining rules, connectivity through different tools (Office XP Component, Office 2000 Component, SQL Query Analyzer, Management Studio, OSQL Utility, and ISQL Utility), and other related activities. The events are categorized as informational unless they involve risks such as failed object access or enabling direct updates to system tables, which are considered medium risk. This document is part of a series that outlines event interoperability standards between different databases, marked by the ArcSight Technical Note – Contains Confidential and Proprietary Information. This text appears to be documentation related to SQL Server audit events and their associated event IDs, which are used for logging activities within the database management system. The events listed include connections from various tools (such as SQL Profiler, MS Access 2000, TOAD for SQL Server), execution of user-defined functions, errors, queries, and metadata queries. These audit events are categorized under specific event IDs and are used to track and monitor activities that may indicate security risks or other significant system changes. The documentation also references technical notes from ArcSight, which might be internal documents containing confidential and proprietary information. This text outlines several Microsoft-specific audit events and SQL Server procedures related to database management, including the execution of various commands such as SP_HELPROTECT, SP_ADDUMPDEVICE, SP_DROPDEVICE, xp_dirtree, xp_fileexist, xp_fixeddrives, sp_procoption, xp_regread/xp_instance_regread, sp_dboption, sp_MSset_oledb_prop, sp_enum_dtspackages, sp_get_dtspackage, CREATE ASSEMBLY, DROP ASSEMBLY, CREATE SYNONYM, DROP SYNONYM, CREATE SERVICE, ALTER SERVICE, and DROP SERVICE. These events are associated with SQL Server 2005 and later versions, indicating they pertain to auditing the activities within these databases for security or administrative purposes. The information is part of a technical note from ArcSight, which likely uses this data for interoperability and potentially for risk assessment in database management. This text provides a summary of various audit events related to SQL Server 2005 and later versions, specifically within the Microsoft Audit Events category. The table lists event numbers and their descriptions such as creating or dropping contracts, event notifications, message types, partition functions, schemes, queues, remote service bindings, and routes. Each entry includes a reference to an ArcSight Technical Note indicating that it contains confidential and proprietary information, suggesting potential use in security monitoring and auditing systems for SQL Server environments. This text appears to be a series of entries related to audit events in SQL Server, specifically from Microsoft Audit Events with IDs ranging from 2554 to 2575. The entries document various actions such as altering routes, dropping routes, creating and updating statistics, executing stored procedures (like sp_addlinkedserver, sp_dropserver, adding/deleting jobs), certificate operations (CREATE, ALTER, DROP), asymmetric key operations (CREATE, ALTER, DROP), symmetric key creation, and bulk insert commands. These entries are associated with the ArcSight Technical Note series, which indicates that they may be part of a documentation or audit trail related to system activities in SQL Server environments. The "Informational" label suggests these events were logged for informational purposes rather than indicating an error or security incident. This document outlines several informational SQL Server audit events starting from version 2576, continuing through to 2593 and including additional information up to event number 2595. The events primarily relate to cryptographic keys (symmetric key, master key), schema management (CREATE SCHEMA, ALTER SCHEMA, DROP SCHEMA), XML schema collections (CREATE XML SCHEMA COLLECTION, ALTER XML SCHEMA COLLECTION, DROP XML SCHEMA COLLECTION), endpoint management (CREATE ENDPOINT, ALTER ENDPOINT, DROP ENDPOINT), credential management (CREATE CREDENTIAL, ALTER CREDENTIAL, DROP CREDENTIAL), and the EXECUTE AS LOGIN feature in SQL Server. Each event is associated with specific audit log entries in Microsoft Audit Events and ArcSight Technical Notes. The events are categorized under different IDs such as 2576-2593 for CREATE MASTER KEY, ALTER MASTER KEY, DROP MASTER KEY, etc., indicating the type of action being audited (e.g., creation, alteration, or deletion) and whether it is informational in nature. The information provided includes details about when these events occur during SQL Server operations, which can be crucial for auditing and compliance purposes to track changes and activities on the server. The risk category varies from high for some actions directly affecting system objects like CREATE, ALTER, and DROP statements on medium-risk system objects in SQL Server up to 2005 & later versions, to informational for others related to cryptographic key management and schema alterations. This summary highlights that these audit events are part of a broader set designed to monitor sensitive operations and changes within the SQL Server environment, providing detailed information about each specific action taken on the server as per regulatory or organizational compliance requirements. This text provides a summary of various undocumented extended stored procedures and SQL events that are tracked by Microsoft Audit Events in SQL Server 2005 and later versions. The information is categorized under different IDs, each representing specific actions or procedures performed within the database environment, such as executing stored procedures for database mail (IDs 2597-2601), altering roles and application roles (IDs 2600-2604), modifying users' login passwords (ID 2618), and other SQL operations like granting or revoking permissions (IDs 2612-2616). These events are significant for security monitoring and auditing purposes, although the text also includes a disclaimer indicating that this information is confidential and proprietary. The provided information outlines various audit events and their associated descriptions from Microsoft Audit Events for SQL Server 2005 and later versions. These events range from informational messages to high-risk vulnerabilities, indicating potential security incidents or activities that may compromise the system's integrity, availability, or confidentiality. Below is a summarized list of these events: 1. **Standard Login Property Modified** - Informational: An event where standard login properties have been modified, potentially indicative of unauthorized access attempts or configuration changes. 2. **Asymmetric Encryption Key Accessed** - Medium Risk: Access to an asymmetric encryption key could suggest actions related to data protection and security policies within the SQL Server environment. 3. **Attempt to Change Password Detected** - Informational: An event indicating a failed or attempted change of user passwords, which might be indicative of unauthorized access attempts or password-related vulnerabilities. 4. **ENABLE TRIGGER / DISABLE TRIGGER** - Informational: Changes in database trigger settings, which are used for automated actions triggered by events such as data modifications; could indicate operational changes without explicit authorization. 5. **Creation of Temporary Table** - Informational: Creation of temporary tables can be part of normal operations but may also signal unauthorized activities or attempts to evade auditing or logging mechanisms. 6. **KILL Statement** - Informational: Execution of the KILL statement, used to terminate SQL Server processes, might suggest administrative actions potentially taken by users with appropriate permissions. 7. **Buffer Overflow Events (IDs 2056 and 2610)** - Medium Risk: These events indicate potential buffer overflow vulnerabilities in the SQL Server system that could be exploited for code injection or other malicious activities. 8. **Authentication Mode Changed** - Low Risk: Changes to authentication modes might suggest attempts to alter how users access the database, which can affect overall security posture. 9. **Log Erasing Using sp_cycle_errorlog** - Low Risk: Actions that erase log files could be related to concealing actions or activities within the system. 10. **Using Dynamic SQL to Access syslogins** - High Risk: Direct dynamic SQL access to sys.syslogins can bypass certain security checks and might indicate attempts to escalate privileges or gain unauthorized access to user accounts. 11. **BCP Executed Using xp_cmdshell** - Medium Risk: The use of BCP (Bulk Copy) with xp_cmdshell could lead to command execution on the server, potentially compromising data integrity and security settings. 12. **Scripted Password Attack / Password Guessing** - Medium Risk: These events suggest automated attacks or attempts to guess passwords, indicating potential vulnerabilities in password policies and practices. 13. **Windows Shared Resource Used** - Medium Risk: Utilizing Windows shared resources within SQL Server could indicate unauthorized sharing of system resources or activities that may bypass security controls. 14. **Registry Backdoor Installed / Run-time Patch Exploit** - High Risk: Installation of registry backdoors, as well as exploiting runtime patches, are indicative of significant security breaches and potential malicious activities. These events highlight various aspects of SQL Server usage and configuration that could be exploited or misused by attackers, suggesting a need for robust monitoring, auditing, and security measures to protect against unauthorized access and potential data breaches. This summary outlines various security incidents and events related to Microsoft SQL Server 2005 and later versions, including escalation using Named Pipes, SQL Escalation, and attacks on the SQL Application Server. The incidents are categorized by their level of risk (High, Medium, Low) and involve different tools such as AppDetective, NGSSqlcrack, SQLDict, SQL Exec, NGSquirrel, SQLScan, SQL Browser, and specific web-based attacks like SQL Injection and Cross-site scripting (XSS). Some events are detected by Microsoft Security Tools while others are noted in ArcSight Technical Notes. The incidents indicate a range of potential security vulnerabilities that could be exploited to gain unauthorized access or compromise the integrity of the database systems. This document appears to be a technical note related to Oracle database security and auditing, specifically focusing on various aspects of accessing operating system (OS) functionalities, altering system settings, and auditing events within the Oracle environment. Here is a summarized breakdown of the entries mentioned: 1. **Accessing OS Files**:

• **513** Read OS files using `SYS.UTL_FILE` package - Allows reading from OS files via the UTILIBRARY file in Oracle Database, which can be risky if not properly configured.

• **514** Write OS files using `UTL_FILE` package - Enables writing to OS files; necessary for some administrative tasks but carries significant security risks without proper controls.

• **594-595** `UTL_TCP` and `UTL_INADDR` packages - These are used for TCP/IP network services, with varying levels of resource usage and risk depending on the specific functionalities utilized.

• **602-603** `DBMS_SCHEDULER` for privilege escalation and running OS commands - Allows scheduling tasks that can potentially escalate privileges or execute system commands.

• **605** Directory traversal in `UTL_FILE` - Enables accessing unauthorized files via directory traversal, which is a high-risk behavior.

2. **Auditing Events**:

• Various audit events from 500 to 524 are related to different types of database operations (e.g., SELECT, INSERT, DELETE) and system alterations (e.g., ALTER SYSTEM), providing detailed information on user activities that should be monitored for security purposes.

3. **OS-Related Packages**:

• **UTL_SMTP** and **UTL_HTTP** are network protocols used for sending emails and HTTP requests respectively, which can be useful but come with lower resource requirements due to their primarily application-layer nature.

4. **Technical Note 54Event Interoperability Standard**:

• This appears to be a specific technical note or standard related to event interoperability within Oracle systems, possibly indicating compliance standards or guidelines for integrating various database events and activities.

Each entry is categorized by the resource requirements (High, Medium, Low) and type of information provided, reflecting the potential risks and importance of each functionality in terms of database security management. The provided text lists a series of Oracle audit events, each associated with an event ID and description. These include various database administrative actions such as creation (CREATE), modification (ALTER) and deletion (DROP) operations on objects like materialized views, packages, procedures, sequences, tablespaces, indexes, profiles, users, views, directories, functions, triggers, and more. Each audit event is marked as "Informational" and categorized under Oracle Audit Events with a unique ID ranging from 542 to 570. These events are documented in an ArcSight Technical Note which also includes notes on the category name (Risk) and mentions that it contains confidential and proprietary information, likely intended for security analysis or audit purposes in an enterprise environment. This document outlines a series of Oracle audit events, which are informational in nature and record various activities within an Oracle database. The events include modifications to views (ALTER VIEW), usage of default user accounts, listener commands related to network-based sensors (STATUS, VERSION, STOP, SERVICES), execution of stored procedures, failed login attempts, creation and alteration of Java source, class, and resource files, role management (CREATE, DROP, ALTER ROLE), truncation operations, and various database administrative statements such as ANALYZE, ASSOCIATE STATISTICS, COMMENT, COMMIT, CREATE, DISASSOCIATE STATISTICS, and DROP. This document appears to be a log of various audit events recorded by Oracle databases, including both system and user-initiated actions. The events are logged with unique IDs ranging from 707 to 762 and 3555, each associated with specific database activities. Here's a summary of the most common types of events: 1. **Audit Events (IDs 707 - 746):** These include various SQL statements such as `ALTER`, `CREATE`, `DROP`, and others, indicating changes or queries made to the database schema. Some specific examples are `ALTER SEQUENCE`, `CREATE CLUSTER`, `REVOKE DBA`, and more. 2. **LOCK TABLE Statement (ID 708):** Indicates a request to lock tables in the database for administrative purposes. 3. **MERGE Statement (ID 709):** Not explicitly defined but could refer to Oracle's MERGE statement which is used for data manipulation, potentially included under "SET" or another category as per the context provided. 4. **PURGE Statement (ID 710):** Indicates a request to remove data from tables based on specific criteria. 5. **RENAME Statement (ID 711):** Indicates a request to rename database objects such as tables or views. 6. **ROLLBACK and SAVEPOINT Statements (IDs 712, 713):** These are related to transaction control within the database; specifically, they indicate attempts to roll back transactions or set savepoints. 7. **SET Statement (ID 714) and similar IDs:** This could include various SQL `SET` commands that configure session settings or define variables in Oracle databases. 8. **FLASHBACK Statements (IDs 715, 716):** These are related to the database's flashback capabilities, which allow for recovery of accidentally deleted data. 9. **DROP and ALTER Statements (IDs 729 - 743):** These indicate deletion or modification of various database entities such as sequences, Java resources, procedures, packages, and clusters. 10. **Role Revocation and Alteration (IDs 745, 746):** Indicates actions related to system roles like `SYSDBA` and `SYSOPER`, which grant high-level administrative privileges. 11. **Login Attempts (ID 762):** Records successful login attempts into the database, indicating activity by users or processes attempting access. 12. **SELECT Statement on System Table (ID 3555):** Indicates a query made on a system table, which could be informational or part of routine administrative tasks. Each event is marked as "Informational," suggesting that these are typically non-critical events recorded for compliance, monitoring, or forensic purposes within the database environment. The context provided indicates that this log may be used to audit user activities and ensure adherence to security policies and procedures in a corporate or enterprise setting. The document lists several Oracle database buffer overflow vulnerabilities, which are critical security issues where too much data is written to a memory location that can hold less than expected, leading to an overflow of the allocated space and potentially overwriting adjacent memory areas. This can cause the application or system to crash or become unstable, allowing for unauthorized access or disclosure of sensitive information. The severity of each vulnerability is noted as "High" or "Medium," depending on the potential impact on security and functionality. The vulnerabilities are numbered from 525 to 613, with descriptions including functions such as `NUMTOYMINTERVAL`, `TIME_ZONE`, `SERVICE_NAME`, and others specific to Oracle database management system functionalities like instantiation procedures, character conversions, denial of service in interMedia, and replication management. These vulnerabilities could be exploited by attackers to gain unauthorized access or disrupt the normal operation of Oracle databases and applications that rely on these functions. The provided text lists various Oracle buffer overflow incidents, each assigned a unique category ID and described as occurring at different levels of risk (indicated by "High," "Medium," or "Low"). These incidents involve multiple components including database management systems (DBMS), replication management procedures, XML schema generation, session settings, spatial data objects (SDO), and other internal Oracle processes. The risks range from potentially critical to moderately severe, highlighting the need for immediate attention and resolution by IT administrators and security specialists to prevent potential system failures or security breaches. This document, labeled as an ArcSight Technical Note, contains a compilation of various security vulnerabilities found within Oracle databases. These include buffer overflows affecting specific database objects such as packages (like DBMS_AQADM_SYS.DBLINK_INFO, MDSYS.SDO_CS.TRANSFORM, XDB.XDB_PITRIG_PKG, SYS.DBMS_AQJMS, AGGXQIMP.ODCIAGGREGATEINITIALIZE, and others), as well as SQL injection flaws in various parts of the Oracle database system (like packages in CTXSYS.CTX_DOC, DBMS_PRVTAQIS, DBMS_CDC_UTILITY, PORTAL.WWEXP_API_ENGINE, and PORTAL.WWV_RENDER_REPORT). Additionally, there are concerns about uncommon uses of specific functions like CHR and UNISTR, and a high risk noted for the installation of a database rootkit. All these issues are categorized under Oracle Miscellaneous with respective Risk levels indicated as High, Medium or unspecified. The note is marked as containing Confidential and Proprietary Information, suggesting that this information should be handled with sensitivity and security in mind. The document outlines several SQL injection vulnerabilities and denial of service issues found in various Oracle databases, as well as potential access to sensitive information such as passwords and usernames. Key points include:

• **SQL Injection Vulnerabilities:** There are multiple instances where SQL injections can occur across different database objects (e.g., SYS.KUPF$FILE_INT, SYS.LT.COMPRESSWORKSPACETREE, DMSYS.ODM_MODEL_UTIL). These issues are categorized as "High" risk due to the potential for unauthorized data access and manipulation.

• **Denial of Service (DoS) Risks:** Several database objects like OLAPSYS.CWM2_OLAP_AW_AWUTIL.PARSELIMITMAP and OLAPSYS.CWM2_OLAP_AW_AWUTIL.READCURRMEASURECOLNAME are identified as "High" risk for DoS attacks, which could disrupt service by overwhelming the system with requests or consuming excessive resources.

• **Access to Sensitive Information:** The document also notes issues where unprivileged database users can access sensitive data such as password hashes and cleartext passwords from various tables (e.g., SYS.USER$, DBA_USERS, ArcSight Technical Note). These include risks of "Medium" for accessing APEX High password hashes in FLOWS_030000.WWV_FLOW_USERS and low-risk access to usernames stored in various tables (SYS.LINK$, SYS.USER$, DBA_USERS, ALL_USERS).

The document is part of a series on database security and interoperability standards, emphasizing the importance of safeguarding data integrity and preventing unauthorized access in Oracle databases. This document outlines a series of high-risk security vulnerabilities and potential escalations found within various Oracle databases, as identified by scripted attack methods or direct manipulation of database components. The vulnerabilities are categorized based on their nature and the criticality of the risks they pose to system integrity and confidentiality. Key issues include password guessing attacks, clear-text storage of TDE wallet passwords, SQL injection flaws in multiple triggers and procedures, potential abuse of DBMS commands, and escalation of privileges through various exploit methods. Some specific examples of vulnerabilities listed are: 1. Oracle Password 597 - A high-risk scripted attack on database password security, suggesting a method for guessing or cracking passwords. 2. Oracle Password 619 - High risk associated with clear-text storage of TDE (Transparent Data Encryption) wallet passwords. 3. Oracle Privilege 578 and following numbers - Multiple instances of SQL injection flaws within specific triggers like SDO_LRS_TRIG_INS, DBMS_METADATA.GET_DDL, and others, posing significant risks for unauthorized data access or manipulation. 4. Oracle Privilege 634-663 - Several vulnerabilities involving potential abuse and escalation of privileges through exploitation of SQL injection in different database packages (e.g., DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION, DBMS_EXPORT_EXTENSION) and procedures like DBMS_SYS_SQL.PARSE_AS_USER, SYS.KUPW$WORKER.MAIN, among others. Each vulnerability is assigned a risk level from High to Medium based on the potential impact on system security and integrity, as well as the likelihood of exploitation by an attacker. The document also emphasizes that these vulnerabilities could lead to unauthorized access, data leakage, or complete compromise of database systems if not properly addressed. It's crucial for organizations to implement robust security measures and regularly audit their databases for such vulnerabilities to prevent potential cyber-attacks. The provided text lists various Oracle database privilege vulnerabilities and their associated risk levels, categorized under different IDs and names within the "ArcSight Technical Note – Contains Confidential and Proprietary Information" document. Here is a summary of each vulnerability mentioned: 1. **Oracle Privilege 664** - SQL Injection in High escalation, affecting DBMS_CDC_ISUBSCRIBE.PREPARE_UNBOUNDED_VIEW. 2. **Oracle Privilege 665** - SQL Injection in High escalation, involving DBMS_CDC_ISUBSCRIBE.CREATE_SUBSCRIPTION. 3. **Oracle Privilege 666** - SQL Injection in High escalation, linked to DBMS_CDC_ISUBSCRIBE.EXTEND_WINDOW_LIST. 4. **Oracle Privilege 667** - SQL Injection in High escalation within the package DBMS_SQLTUNE. 5. **Oracle Privilege 669** - SQL Injection in High escalation, affecting package MDSYS.SDO_LRS. 6. **Oracle Privilege 670** - SQL Injection in High escalation within the package XDB.XDB_PITRIG_PKG. 7. **Oracle Privilege 671** - SQL Injection in High escalation, related to DBMS_CDC_ISUBSCRIBE.SUBSCRIBE. 8. **Oracle Privilege 674** - Possible use of function Medium escalation, involving DBMS_XMLQUERY.GETXML in a SQL Injection exploit. 9. **Oracle Privilege 675** - Unclosed quotation mark vulnerability at the Network-based Low Escalation Sensor level. 10. **Oracle Privilege 684** - SQL Injection in High escalation within package DBMS_AQ_INV. 11. **Oracle Privilege 685** - Potential risk of INSERT or UPDATE on SYS.SYSAUTH$, classified as Medium escalation. 12. **Oracle Privilege 687** - Possible Cursor Injection attack, identified at High escalation. 13. **Oracle Privilege 688** - SQL Injection in High escalation within package DBMS_AQADM_SYS. 14. **Oracle Privilege 689** - SQL Injection in High escalation affecting package DBMS_APPLY_USER_AGENT. 15. **Oracle Privilege 690** - SQL Injection in High escalation related to DBMS_UPGRADE_INTERNAL. 16. **Oracle Privilege 692** - Risk of race condition identified within the RLMGR_TRUNCATE_MAINT trigger, classified as High escalation. 17. **Oracle Privilege 695** - Evil view exploit where a Read-only user can modify data, categorized as High escalation. 18. **Oracle Privilege 697** - Possible attack using SQL Injection at the Medium escalation level within CHECK_DB_PASSWORD. 19. **Oracle Privilege 698** - Access control bypass possible with SYS.DBMS_JAVA_TEST, identified as Medium escalation. 20. **Oracle Privilege 753** - Privilege escalation using DBMS_KUPP$PROC.CHANGE_USER at the Medium escalation level. 21. **Oracle Privilege 765** - SQL Injection in package MDSYS, classified as Medium escalation. These vulnerabilities and their associated risk levels are crucial for understanding potential security risks in Oracle databases and implementing appropriate mitigation strategies to protect against such attacks. This document outlines various security incidents and activities detected by Oracle and Sybase tools, categorized under different headers. The categories include: 1. **Oracle Security Tools**: These are specific to the Oracle DBMS_STREAMS_AUTH (587), TNSLSNR query tool (Network-based High Sensor) (173), and System Events such as Database started/stopped (Host-based Sensor) (621, 622). 2. **Oracle Web Application Attacks**: These include SQL injection vulnerabilities in various Oracle applications like ORASSO.WPG_SESSION (531), OWF_MGR.WF_EVENT_HTML (532), OWF_MGR.WF_LOV (533), PORTAL.WPG_SESSION (534), and Oracle Enterprise Manager (774, 775). 3. **Sybase Accessing OS Resources**: This includes extended stored procedures like xp_cmdshell (3102) for accessing the operating system, sending mail using xp_sendmail (3103), filesystem access via proxy tables (3106), and audit events related to database operations in Sybase. 4. **Sybase Audit Events**: These are categorized based on actions such as SELECT, INSERT, DELETE, UPDATE statements, table creations, procedure creations, login attempts, altering databases, dropping databases, and executing system stored procedures, all of which are considered informational by default. The document also includes a technical note from ArcSight that marks the information contained within as confidential and proprietary. This is a list of Sybase audit events with their corresponding event IDs and descriptions. These events are categorized under the "Informational" risk level in ArcSight Technical Note – Contains Confidential and Proprietary Information 66Event Interoperability Standard. The events include actions such as creating, dropping indexes or triggers, altering tables, truncating tables, committing transactions, setting user roles, and various database operations like loading, dumping, and killing sessions. Each event is associated with a unique ID in the Sybase Audit Events series, which indicates the type of action that was performed within the database system. This document outlines a series of audit events related to database activities and user management in Sybase databases, as recorded by the ArcSight system. The events are categorized under specific IDs and include details about actions such as logins, SQL statements (like CREATE, ALTER, GRANT, REVOKE), procedure calls (e.g., sp_addlogin, sp_adduser), and other database operations like plan creation, cursor handling, error raising, and more. These audit records are marked as informational in nature, providing a detailed log of system activities for security, compliance, or operational purposes. The events follow a specific numbering scheme starting from 3045 onwards, with each event type having its unique identifier. This document outlines various types of events and attacks that can be detected by Sybase systems, categorized under different IDs and with specified risk levels. The categories include:

• **Sybase Audit Events**: Indicates a TRUNCATE statement (3134), which is informational but might suggest malicious activity if not normal in the system's usage patterns.

• **Buffer overflow attacks** are classified by specific SQL operations, with IDs 3050 to 3053:

• XP_FREEDLL (buffer overflow) affects both database connections and is categorized as High risk.

• DROP DATABASE leads to a buffer overflow in the context of database management and also carries a High risk.

• DBCC CHECKVERIFY, while not directly related to buffer overflow, can be part of an exploit vector; it has a High risk.

• A general SELECT ALL operation (3053) could potentially lead to Denial of Service (DoS), carrying a Medium risk.

• **Password attacks** are also categorized with IDs ranging from 3100 to 3105:

• Access password hashes (risk medium) might indicate unauthorized access attempts or data breaches.

• Access server login names (low risk) suggest basic credential misuse but do not pose significant threat without further actions.

• Scripted password attacks and password guessing are both considered High-risk, indicating potential brute force or automated attacks.

• **System events** include:

• Database activity not detected (Low), which might indicate a system compromise or unmonitored activities.

• Various operational phases like database start/stop, sensor status changes, and login/logout attempts, each with specified risk levels.

• **Web application attacks**:

• Comments within SQL statements potentially indicating an Application SQL Injection attack (Low risk).

• UNION Clause in SQL queries might suggest a possible SQL Injection vulnerability (Low risk).

Overall, these events are critical for understanding the security posture of a Sybase system, highlighting potential vulnerabilities and unauthorized activities that need to be monitored and addressed. This document appears to be a record of various events or actions related to a system, possibly in the context of an enterprise security management tool like ArcSight. The entries are categorized by unique identifiers followed by brief descriptions, all marked as "Informational" which suggests they are typically for informational purposes and not necessarily critical alerts. Here's a summary:

• **System Events 1062 to 1079**: These events describe various activities such as filters being deleted or created (e.g., 1064, 1065, 1066), report templates being modified or deleted (e.g., 1067, 1068, 1069), and reporting actions (e.g., 1070).

• **System Events 1071**: Indicates a sensor is down.

• **System Events 1075 to 1077**: These events pertain to the ASAP module on both the console and the sensor, suggesting initiation activities.

• **System Events 1078 to 1081**: Relate to policy deployment and monitoring actions, with some marked as "High" priority, indicating potential criticality.

These entries collectively provide a snapshot of system activity and changes within an ArcSight or similar platform, detailing operational activities and status updates.