Generic SQL injection false positives

[Guise McAllaster <guise.mcallaster () gmail com>]

I see a lot of false positive for generic SQL injection rules.  For example,
SID 13514 shown here:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic
sql update injection attempt"; flow:established,to_server; content:"update";
nocase; pcre:"/update[^\n]*set/i"; metadata:policy security-ips drop,
service http; reference:url,
www.securiteam.com/securityreviews/5DP0N1P76E.html;
classtype:web-application-attack; sid:13514; rev:4;)

Alas it alerts for normal traffic like this:

GET /get_updates_1/assessment/frameset_yellow.asp  HTTP/1.1

What if the pcre were changed somewhats?  Maybe like this:

pcre:"/update[^A-Z0-1_][^\n]*[^A-Z0-1_]set[^A-Z0-1_]/i";

A similar approach could be taken with other generic SQL injection rules
like SIDs 13512 and 13513.  Just a thought.

Guise

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs