Snort mailing list archives

Re: SQLi Injection Attempts

From: Joshua Williams <joshuwi2 () sourcefire com>
Date: Mon, 24 Oct 2016 13:04:17 -0400

Carraig,

Thanks for your submission. I'll review and test this signature and get
back to you when it's finished.

--
Josh Williams
Detection Response Team
TALOS Security Group

On Wed, Oct 19, 2016 at 4:41 PM, Stanwyck, Carraig - ASOC, Kansas City, MO <
Carraig.Stanwyck () asoc usda gov> wrote:

Good Evening,



We saw a surge in injection attempts using UAs with “testitest” in them.
“testitest (test () boogle com)” and “testitest (test () testitest com)”



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLACKLIST User
Agent (SQLi Injection / Scanning)"; flow:established,to_server;
content:"testitest"; http_header; fast_pattern; reference:url,
en.wikipedia.org/wiki/SQL_injection; classtype:web-application-attack;
sid:123456789; rev:1;)



*Carraig Stanwyck*

USDA | OCIO | ASOC






This electronic message contains information generated by the USDA solely
for the intended recipients. Any unauthorized interception of this message
or the use or disclosure of the information it contains may violate the law
and subject the violator to civil or criminal penalties. If you believe you
have received this message in error, please notify the sender and delete
the email immediately.

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

SQLi Injection Attempts Stanwyck, Carraig - ASOC, Kansas City, MO (Oct 19)
- Re: SQLi Injection Attempts Joshua Williams (Oct 24)