Re: Generic SQL injection false positives

[Matt Olney <molney () sourcefire com>]

Morning exploded, but I wanted to put out some normalization data (see below
for test output):

1)  We normalize %20 to a space
2)  We normalize %3d into a =
3)  We do not normalize /**/ (or /* */)
4)  We do not normalize +
5)  We do not normalize ++

Remember, the normalization that occurs in the URI is for HTTP data
normalization (%20, ../../../, etc...) not for database normalization.  So
to handle these cases, we'd have to do some PCRE, or write an SO rule.  I'm
not done looking over all this, but I thought you might be interested in the
data.

Matt

******  BUFFER INFORMATION  ******
[RAW BUFFER DATA (0xab9b948)]:
47 45 54 20 2f 63 67 69 2d 62 69 6e 2f 62 61 64     GET /cgi-bin/bad
73 74 6f 72 65 2e 63 67 69 3f 73 65 61 72 63 68     store.cgi?search
71 75 65 72 79 3d 6a 6f 65 27 2b 4f 52 2b 31 25     query=joe'+OR+1%
33 44 31 2b 4f 52 2b 27 6d 61 72 79 26 61 63 74     3D1+OR+'mary&act
69 6f 6e 3d 73 65 61 72 63 68 26 78 3d 30 26 79     ion=search&x=0&y
3d 30 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73     =0 HTTP/1.1..Hos


[HTTP_URI BUFFER DATA (0x8ab9aa0)]:
/cgi-bin/badstore.cgi?searchquery=joe'+OR+1=1+OR+'mary&action=search&x=0&y=0

/**/ comment in the middle:

******  BUFFER INFORMATION  ******
[RAW BUFFER DATA (0x9b92948)]:
47 45 54 20 2f 63 67 69 2d 62 69 6e 2f 62 61 64     GET /cgi-bin/bad
73 74 6f 72 65 2e 63 67 69 3f 73 65 61 72 63 68     store.cgi?search
71 75 65 72 79 3d 6a 6f 65 27 2b 4f 52 2b 31 25     query=joe'+OR+1%
33 44 31 2b 4f 52 2b 2f 2a 2a 2f 27 6d 61 72 79     3D1+OR+/**/'mary
26 61 63 74 69 6f 6e 3d 73 65 61 72 63 68 26 78     &action=search&x
3d 30 26 79 3d 30 20 48 54 54 50 2f 31 2e 31 0d     =0&y=0 HTTP/1.1.

[HTTP_URI BUFFER DATA (0x8ab9aa0)]:
/cgi-bin/badstore.cgi?searchquery=joe'+OR+1=1+OR+/**/'mary&action=search&x=0&y=0

Percent 20 in the middle of the comment:

******  BUFFER INFORMATION  ******
[RAW BUFFER DATA (0xa5ff948)]:
47 45 54 20 2f 63 67 69 2d 62 69 6e 2f 62 61 64     GET /cgi-bin/bad
73 74 6f 72 65 2e 63 67 69 3f 73 65 61 72 63 68     store.cgi?search
71 75 65 72 79 3d 6a 6f 65 27 2b 4f 52 2b 31 25     query=joe'+OR+1%
33 44 31 2b 4f 52 2b 2f 2a 25 32 30 2a 2f 27 6d     3D1+OR+/*%20*/'m
61 72 79 26 61 63 74 69 6f 6e 3d 73 65 61 72 63     ary&action=searc
68 26 78 3d 30 26 79 3d 30 20 48 54 54 50 2f 31     h&x=0&y=0 HTTP/1
2e 31 0d 0a 48 6f 73 74 3a 20 31 30 2e 34 2e 31     .1..Host: 10.4.1

[HTTP_URI BUFFER DATA (0x8ab9aa0)]:
/cgi-bin/badstore.cgi?searchquery=joe'+OR+1=1+OR+/*
*/'mary&action=search&x=0&y=0

******  BUFFER INFORMATION  ******
[RAW BUFFER DATA (0x9eca948)]:
47 45 54 20 2f 63 67 69 2d 62 69 6e 2f 62 61 64     GET /cgi-bin/bad
73 74 6f 72 65 2e 63 67 69 3f 73 65 61 72 63 68     store.cgi?search
71 75 65 72 79 3d 6a 6f 65 27 2b 4f 52 2b 2b 31     query=joe'+OR++1
25 33 44 31 2b 4f 52 2b 2f 2a 25 32 30 2a 2f 27     %3D1+OR+/*%20*/'
6d 61 72 79 26 61 63 74 69 6f 6e 3d 73 65 61 72     mary&action=sear
63 68 26 78 3d 30 26 79 3d 30 20 48 54 54 50 2f     ch&x=0&y=0 HTTP/
31 2e 31 0d 0a 48 6f 73 74 3a 20 31 30 2e 34 2e     1.1..Host: 10.4.

[HTTP_URI BUFFER DATA (0x8ab9aa0)]:
/cgi-bin/badstore.cgi?searchquery=joe'+OR++1=1+OR+/*
*/'mary&action=search&x=0&y=0

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs