False positive in 2650.2 (ORACLE user name buffer overflow attempt)

Rule: ORACLE user name buffer overflow attempt

--
Sid: 2650

--
By no means I would see myself as an expert on SQL*Net but I have 
a suspicion that 2650 has a false positive because it looks for user 
name header "(user=" and then for a non-presence of a double quote. 
My speculation is that it should be perhaps looking for a non-presence 
of a closing parenthesis.

This is the relevant extract from a false positive:

(DESCRIPTION=(CONNECT_DATA=(SID=foo)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))


I can provide a pcap if really necessary.


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl