Snort mailing list archives
Re: Generic SQL injection false positives
From: Guise McAllaster <guise.mcallaster () gmail com>
Date: Wed, 27 Jan 2010 19:28:59 +0000
Matt, Thank you again for following up on this and helping getting improvements in place. Your continued responses and actual actions are much appreciated. As far as Shlong being a emerging star (and "hard work" -- it's just some minor PCRE changes) ... hmmmm (*thinks of someone else who could be VRT star*). Consider this latest revision of 13514: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql update injection attempt - GET parameter"; flow:established,to_server; uricontent:"update"; nocase; pcre:"/update\s+[^\/\\]+set\s+[^\/\\]+/Ui"; metadata:policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:13514; rev:7;) This doesn't detect the classic/normal attacks. A single space or a '+' between 'update' and 'set' will not match the PCRE. Examples: /.php?user=monley';+update+set+awesome=1+where+name=guise--+ /facepalm.php?user=guise'; update set awesome=0 where name=snigel-- /bottompostsux.php?user=junkman';/**/update/**/set/**/awesome=1/**/where/**/name=ET-- The other SQL injection rule updates may suffer from the same (or similar) PCRE shortcomings but you can check yourself. I've already offered my suggestion (which was not used) and I cannot in good conscience continue to correct VRT rules for free :) but the way I see it, if you bother cranking up the PCRE engine, you might as well take advantage of all its powerfulness. Seriously, thanks again for responding about these rules. As an indirect result of investigating it, I found a serious flaw in my snort setup and now it is fixed and boss give Guise compliment and is happy :) Guise On 1/26/10, Matt Olney <molney () sourcefire com> wrote:
Thanks to the hard work of Shong, one of our emerging stars on the analyst team these are among the changes in this week's update: Updated rules: 13512 <-> SQL generic sql exec injection attempt - GET parameter (sql.rules, High) 13513 <-> SQL generic sql insert injection atttempt - GET parameter (sql.rules, High) 13514 <-> SQL generic sql update injection attempt - GET parameter (sql.rules, High) 13990 <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules, Medium) Thanks for the heads up on these, keep letting us know if you have any issues. Matt
------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: Generic SQL injection false positives Matt Olney (Jan 08)
- Re: Generic SQL injection false positives Matt Olney (Jan 26)
- Re: Generic SQL injection false positives Guise McAllaster (Jan 27)
- Re: Generic SQL injection false positives Matt Olney (Jan 27)
- Re: Generic SQL injection false positives Guise McAllaster (Jan 27)
- Re: Generic SQL injection false positives Guise McAllaster (Jan 27)
- Re: Generic SQL injection false positives Matt Olney (Jan 26)