Snort mailing list archives

Re: Generic SQL injection false positives

From: Matt Olney <molney () sourcefire com>
Date: Mon, 28 Dec 2009 13:10:37 -0500

Hey Guise,

Wanted to let you know that this is still on our radar.  We're not satisfied
with how these rules are performing either, so we're talking about a couple
of different things.  If anyone has other ideas for these rules, chime in!

Matt

On Tue, Dec 22, 2009 at 4:19 PM, Guise McAllaster <
guise.mcallaster () gmail com> wrote:

I see a lot of false positive for generic SQL injection rules.  For
example, SID 13514 shown here:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic
sql update injection attempt"; flow:established,to_server; content:"update";
nocase; pcre:"/update[^\n]*set/i"; metadata:policy security-ips drop,
service http; reference:url,
www.securiteam.com/securityreviews/5DP0N1P76E.html;
classtype:web-application-attack; sid:13514; rev:4;)

Alas it alerts for normal traffic like this:

GET /get_updates_1/assessment/frameset_yellow.asp  HTTP/1.1

What if the pcre were changed somewhats?  Maybe like this:

pcre:"/update[^A-Z0-1_][^\n]*[^A-Z0-1_]set[^A-Z0-1_]/i";

A similar approach could be taken with other generic SQL injection rules
like SIDs 13512 and 13513.  Just a thought.

Guise


------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and
easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Generic SQL injection false positives Guise McAllaster (Dec 22)
- Re: Generic SQL injection false positives Matt Olney (Dec 22)
- Re: Generic SQL injection false positives Matt Olney (Dec 28)
  - Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
    - Re: Generic SQL injection false positives Alex Kirk (Dec 28)
    - Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
    - Re: Generic SQL injection false positives Guise McAllaster (Dec 28)
    - Re: Generic SQL injection false positives Graham Bignell (Dec 28)
    - Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
    - Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
    - Re: Generic SQL injection false positives Guise McAllaster (Dec 28)
    - Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
    - Re: Generic SQL injection false positives Matt Olney (Dec 28)

(Thread continues...)