Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Comments have been disabled from my weblog"] [Next entry: "A useful post on c.d.o.s about ADMIN_RESTRICTIONS_{listener_name}"]

Niall has clarified the ODBC trace issue



I posted a blog entry last week about the many possible techniques that could be used to audit the SQL that is sent from a black box application to the database server. This is where the source code is not available for the application. I posted the entry "Auditing the SQL a black box application submits to the database" where I said, amongst other things:

"I am (almost?) certain OBDC trace can be used as well. I need to investigate this option - assuming ODBC is used of course"

Niall emailed me at the end of last week to let me know that ODBC trace is not useful in grabbing the SQL sent from an application that uses ODBC. Niall told me the following:



  • It traces the ODBC calls and not the SQL itself - so you get lines like those listed at the end

  • It is unbelievably slow, I mean truly, awfully slow

  • I'm fairly sure that the original guy was using ADO which doesn't necessarily mean ODBC is involved anywhere




Thanks to Niall for the clarification on the ODBC issue.

For reference I also posted a second post on the subject of grabbing and auditing the SQL - This was called "Addendum to yesterdays auditing SQL from black box third party applications"

Finally Niall also made an additional post to http://groups-beta.google.com/group/comp.databases.oracle.server/browse_frm/thread/64968f2adf0e6a7c/71c92ae7a86a2ca7?q=%22Auditing+an+app%27s+SQL+-+How%3F%22&_done=%2Fgroups%3Fq%3D%22Auditing+an+app%27s+SQL+-+How%3F%22%26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg%26&_doneTitle=Back+to+Search&&d#71c92ae7a86a2ca7 - (broken link) the original thread on c.d.o.s today about ODBC that said:

"It is incredibly slow, and incredibly verbose. Those who bemoan the 'overhead' of timed_statistics=true or sql_trace ought to try it someday :("