Re: PCRE and normalized content

[Paul Schmehl <pschmehl_lists () tx rr com>]

You were right.  I should have read the manual better.  I went back and 
found the section you quoted.  Don't know why I missed it previously. 
Thanks for pointing it out.

Anyway, this rule is now working quite well now:

alert tcp any any -> $HOME_NET $PORT_HTTP (msg: "SQL Injection Attempt - 
and number = same number"; content: "GET"; http_method; uricontent:"?"; 
uricontent:"="; uricontent:"and"; pcre:"/(\d+)=\1/U"; 
classtype:web-application-attack; sid:3000006; rev:9;)

It's picking up attempted sql injection attempts like this:

000 : 47 45 54 20 2F 63 61 6C 65 6E 64 61 72 2F 65 76   GET /calendar/ev
010 : 65 6E 74 2E 70 68 70 3F 69 64 3D 31 32 32 30 30   ent.php?id=12200
020 : 38 32 38 39 31 27 25 32 30 61 6E 64 25 32 30 31   82891'%20and%201
030 : 3D 31 25 32 30 61 6E 64 25 32 30 27 27 3D 27 20   =1%20and%20''='

BTW, I read the thread you referenced.  I don't think the fact that you 
can't catch every possible instance mitigates against writing a rule that 
will catch common instances of sql injection attempts.  If I miss things 
I'm still better off than I was before, when I was missing everything.

--On January 13, 2010 6:08:52 PM -0600 "Rodrigo Montoro(Sp0oKeR)" 
<spooker () gmail com> wrote:

> Paul,
>
> I think you should read snort manual  =)
>
> Table 3.8: Snort specific modifiers for pcre
> R Match relative to the end of the last pattern match. (Similar to
> distance:0;)
> U Match the decoded URI buffers (Similar to uricontent and http uri)
> P Match normalized HTTP request body (Similar to http client body)
> H Match normalized HTTP request header (Similar to http header)
> M Match normalized HTTP request method (Similar to http method)
> C Match normalized HTTP request cookie (Similar to http cookie)
> B Do not use the decoded buffers (Similar to rawbytes)
> O Override the configured pcre match limit for this expression (See
> section 2.1.3)
>
> Anyway this rules will fail with a simples and 1<2 .
>
> I tried once to write a rules but there are to many ways to write the
> same query  take a look at this thread
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2008-June/00069
> 8.html
>
> Anyway I don't thing this list is about writing new rules =)
>
> Regards,
>
> On Wed, Jan 13, 2010 at 9:52 PM, Paul Schmehl <pschmehl_lists () tx rr com>
> wrote:
> > This string: %20%61%6E%64%20%31%3D%31
> > equals this string: ' and 1=1'
> > after normalization.  You can pick this up in a rule by using
> > uricontent instead of content.  But what do you do about PCRE?  Is
> > there a way to get PCRE to match against normalized content?  Or will
> > it only match against non-normalized content?
> >
> > I'm working on sql injection rules and using the following pcre:
> > pcre:"/and\s(\d+)=\1/";
> >
> > It works fine on 1=1 or 54=54, but fails on %31%3D%31, apparently
> > because it's attempting to match against the non-normalized content.
> >
> > --
> > Paul Schmehl, Senior Infosec Analyst
> > As if it wasn't already obvious, my opinions
> > are my own and not those of my employer.
> > *******************************************
> > "It is as useless to argue with those who have
> > renounced the use of reason as to administer
> > medication to the dead." Thomas Jefferson
> >
> >
> > -----------------------------------------------------------------------
> > ------- Throughout its 18-year history, RSA Conference consistently
> > attracts the world's best and brightest in the field, creating
> > opportunities for Conference attendees to learn about information
> > security's most important issues through interactions with peers,
> > luminaries and emerging and established companies.
> > http://p.sf.net/sfu/rsaconf-dev2dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
> --
> Rodrigo Montoro (Sp0oKeR)
> http://www.spooker.com.br
> http://www.twitter.com/spookerlabs
> http://www.linkedin.com/in/spooker



Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
WARNING: Check the headers before replying


------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs