Snort mailing list archives
Generic SQL injection false positives
From: Guise McAllaster <guise.mcallaster () gmail com>
Date: Tue, 22 Dec 2009 21:19:54 +0000
I see a lot of false positive for generic SQL injection rules. For example, SID 13514 shown here: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql update injection attempt"; flow:established,to_server; content:"update"; nocase; pcre:"/update[^\n]*set/i"; metadata:policy security-ips drop, service http; reference:url, www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:13514; rev:4;) Alas it alerts for normal traffic like this: GET /get_updates_1/assessment/frameset_yellow.asp HTTP/1.1 What if the pcre were changed somewhats? Maybe like this: pcre:"/update[^A-Z0-1_][^\n]*[^A-Z0-1_]set[^A-Z0-1_]/i"; A similar approach could be taken with other generic SQL injection rules like SIDs 13512 and 13513. Just a thought. Guise
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Generic SQL injection false positives Guise McAllaster (Dec 22)
- Re: Generic SQL injection false positives Matt Olney (Dec 22)
- Re: Generic SQL injection false positives Matt Olney (Dec 28)
- Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
- Re: Generic SQL injection false positives Alex Kirk (Dec 28)
- Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
- Re: Generic SQL injection false positives Guise McAllaster (Dec 28)
- Re: Generic SQL injection false positives Graham Bignell (Dec 28)
- Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
- Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
- Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
- Re: Generic SQL injection false positives Guise McAllaster (Dec 28)