I was emailed on Thursday evening by Richard Quintin who wrote to tell me that he had read my post about the DB18 exploit code being made available. He said that he had written a snort rule that will catch the bug being exploited as he figured if it is that easy to exploit the bad guys will be at it.
Anyhow Alex Kirk responded with a more efficient rule and Richard thought i might like to post it here for the benefit of all of those who read this blog and who want to protect their databases from this issue. All credit goes to Alex Kirk. Here is the rule:
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE
AUTH_ALTER_SESSION exploit attempt"; flow:to_server,established;