Detecting sql injection

[Paul Schmehl <pschmehl_lists () tx rr com>]

I wrote a rule to detect "and 1=1".

lert tcp any any -> $HOME_NET $PORT_HTTP (msg: "SQL Injection Attempt - and 
1=1"; content: "GET"; http_method; uricontent: "and 1=1"; nocase; 
classtype:web-application-attack; sid:3000001; rev:1;)

It works.

I then wrote this rule to detect "number=same number".  It doesn't work.  I'm 
certain the problem is with the pcre, because the rule triggers without it.

alert tcp any any -> $HOME_NET $PORT_HTTP (msg: "SQL Injection Attempt - and 
number = same number"; content: "GET"; http_method; uricontent: "?"; 
uricontent:"and"; pcre:"/(\d+)=\1/"; classtype:web-application-attack; 
sid:3000006; rev:6;)

I tested the pcre against this site: http://www.regextester.com/index2.html. 
It works.  (Testing for 1=1, 20=20, 44=44, etc all result in matches.)

Any clues what the problem might be?  Does snort not do pattern set matching? 
(If so, any plans to add that?)

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson


------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs