Snort mailing list archives

Re: Final Year Project Custom MySQL Database Server Rules and Classifications Review

From: DFIRob via Snort-devel <snort-devel () lists snort org>
Date: Wed, 11 Apr 2018 00:02:25 +0200

Hi Jack,

First I think you should loop in snort-users on this, since snort-devel is
really not the place for rule writing. Then Joel will jump on you saying
https://www.snort.org/faq/can-i-have-help-with-my-homework, and will be
totally right in this case.
Nonetheless ignoring this...

Second, if $EXTERNAL_NET can talk to $SQL_SERVERS, you have a problem snort
won't be able to fix. What you probably want is $HTTP_SERVERS
Third, and I'd love to have some feedback on this one, when you do
flow:to_server,established; and flags:PA; in the same rule, what does this
mean exactly? Is this possible? Do we look for all sessions that start with
a push-ack? What about the sessions that don't? And what about your TTL
flag? Do this apply to all the packets in the session?
Fourth, about your dos attacks, you probably want to track_by_src, if not
you're just tracking high usage of your application. But then again if your
$SQL_SERVERS are reachable from $EXTERNAL_NET...
Fifth, regarding sid:1000101, how is your false positive rate going? Have
you tested this on any real application?
---
# Tautology SQL injection rule, searches for SELECT statement in a tcp
packet and pcre parameter matches any 'n' = 'n' attempt on mysql with a
packet that has time to live of 128 (usual) with push and acknowlege flags
set in a mysql tcp packet request established to the mysql server with push
and ack flags set, main aim of this rule is to detect 'n' = 'n' queries,
works! #
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL-EXPLOIT
Potential SQL Injection detected using tautology on the MySQL server";
flow:to_server,established; pcre:"/\'[0-99]{1,}\'\s\=\s\'[0-99]{1,}\'/i";
fast_pattern:only; ttl:128; flags:PA; reference:url,
https://arxiv.org/ftp/arxiv/papers/1203/1203.3324.pdf; reference:url,
https://www.debuggex.com/cheatsheet/regex/pcre; metadata:policy
security-ips drop, service mysql; classtype:sql-injection; sid:1000101;
rev:11;)
---
Best regards,
Rob'

On Sun, Apr 8, 2018 at 7:50 PM, Jack Eastwood via Snort-devel <
snort-devel () lists snort org> wrote:

Good Afternoon,



I’m a final year Computer Forensics and Security student representing
Leeds Beckett University in the UK and finalizing my final year project
based on using Snort as an IDS to monitor an active MySQL server.



For the basis of my project I have installed and configured Snort as an
IDS to monitor an array of activity against a MySQL community server with a
vulnerable application called “damn vulnerable web application” (DVWA) that
is connected the MySQL database. I have uploaded three files in this email:
a general MySQL rules file, a MySQL exploit rules file -where I have
written custom made snort rules to detect an array of activity - and a
classification configuration file which I have also written custom made
classifications in context to my project. For each rule I have inserted
comments explaining the function of each rule and the requirements on how
each rule gets triggered.



I would be thankful if anyone could review these files and provide any
form of feedback that could enhance these rules for future research or even
potentially be published as official Snort rules.



If you would like any more information regarding my project, Snort or
MySQL configuration settings or anything else that could benefit the
reviewing process then don’t hesitate to contact me.



Thanks you and regards

Jack Eastwood



Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
Windows 10



_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Final Year Project Custom MySQL Database Server Rules and Classifications Review Jack Eastwood via Snort-devel (Apr 08)
- Re: Final Year Project Custom MySQL Database Server Rules and Classifications Review DFIRob via Snort-devel (Apr 10)
  - Re: [Snort-devel] Final Year Project Custom MySQL Database Server Rules and Classifications Review Mkultra via Snort-users (Apr 13)
    - Re: [Snort-devel] Final Year Project Custom MySQL Database Server Rules and Classifications Review DFIRob via Snort-users (Apr 13)