Snort mailing list archives
Re: Final Year Project Custom MySQL Database Server Rules and Classifications Review
From: DFIRob via Snort-devel <snort-devel () lists snort org>
Date: Wed, 11 Apr 2018 00:02:25 +0200
Hi Jack, First I think you should loop in snort-users on this, since snort-devel is really not the place for rule writing. Then Joel will jump on you saying https://www.snort.org/faq/can-i-have-help-with-my-homework, and will be totally right in this case. Nonetheless ignoring this... Second, if $EXTERNAL_NET can talk to $SQL_SERVERS, you have a problem snort won't be able to fix. What you probably want is $HTTP_SERVERS Third, and I'd love to have some feedback on this one, when you do flow:to_server,established; and flags:PA; in the same rule, what does this mean exactly? Is this possible? Do we look for all sessions that start with a push-ack? What about the sessions that don't? And what about your TTL flag? Do this apply to all the packets in the session? Fourth, about your dos attacks, you probably want to track_by_src, if not you're just tracking high usage of your application. But then again if your $SQL_SERVERS are reachable from $EXTERNAL_NET... Fifth, regarding sid:1000101, how is your false positive rate going? Have you tested this on any real application? --- # Tautology SQL injection rule, searches for SELECT statement in a tcp packet and pcre parameter matches any 'n' = 'n' attempt on mysql with a packet that has time to live of 128 (usual) with push and acknowlege flags set in a mysql tcp packet request established to the mysql server with push and ack flags set, main aim of this rule is to detect 'n' = 'n' queries, works! # # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL-EXPLOIT Potential SQL Injection detected using tautology on the MySQL server"; flow:to_server,established; pcre:"/\'[0-99]{1,}\'\s\=\s\'[0-99]{1,}\'/i"; fast_pattern:only; ttl:128; flags:PA; reference:url, https://arxiv.org/ftp/arxiv/papers/1203/1203.3324.pdf; reference:url, https://www.debuggex.com/cheatsheet/regex/pcre; metadata:policy security-ips drop, service mysql; classtype:sql-injection; sid:1000101; rev:11;) --- Best regards, Rob' On Sun, Apr 8, 2018 at 7:50 PM, Jack Eastwood via Snort-devel < snort-devel () lists snort org> wrote:
Good Afternoon, I’m a final year Computer Forensics and Security student representing Leeds Beckett University in the UK and finalizing my final year project based on using Snort as an IDS to monitor an active MySQL server. For the basis of my project I have installed and configured Snort as an IDS to monitor an array of activity against a MySQL community server with a vulnerable application called “damn vulnerable web application” (DVWA) that is connected the MySQL database. I have uploaded three files in this email: a general MySQL rules file, a MySQL exploit rules file -where I have written custom made snort rules to detect an array of activity - and a classification configuration file which I have also written custom made classifications in context to my project. For each rule I have inserted comments explaining the function of each rule and the requirements on how each rule gets triggered. I would be thankful if anyone could review these files and provide any form of feedback that could enhance these rules for future research or even potentially be published as official Snort rules. If you would like any more information regarding my project, Snort or MySQL configuration settings or anything else that could benefit the reviewing process then don’t hesitate to contact me. Thanks you and regards Jack Eastwood Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Final Year Project Custom MySQL Database Server Rules and Classifications Review Jack Eastwood via Snort-devel (Apr 08)
- Re: Final Year Project Custom MySQL Database Server Rules and Classifications Review DFIRob via Snort-devel (Apr 10)
- Re: [Snort-devel] Final Year Project Custom MySQL Database Server Rules and Classifications Review Mkultra via Snort-users (Apr 13)
- Re: [Snort-devel] Final Year Project Custom MySQL Database Server Rules and Classifications Review DFIRob via Snort-users (Apr 13)
- Re: [Snort-devel] Final Year Project Custom MySQL Database Server Rules and Classifications Review Mkultra via Snort-users (Apr 13)
- Re: Final Year Project Custom MySQL Database Server Rules and Classifications Review DFIRob via Snort-devel (Apr 10)