Snort mailing list archives
Re: PCRE and normalized content
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Wed, 13 Jan 2010 21:24:30 -0600
You were right. I should have read the manual better. I went back and found the section you quoted. Don't know why I missed it previously. Thanks for pointing it out. Anyway, this rule is now working quite well now: alert tcp any any -> $HOME_NET $PORT_HTTP (msg: "SQL Injection Attempt - and number = same number"; content: "GET"; http_method; uricontent:"?"; uricontent:"="; uricontent:"and"; pcre:"/(\d+)=\1/U"; classtype:web-application-attack; sid:3000006; rev:9;) It's picking up attempted sql injection attempts like this: 000 : 47 45 54 20 2F 63 61 6C 65 6E 64 61 72 2F 65 76 GET /calendar/ev 010 : 65 6E 74 2E 70 68 70 3F 69 64 3D 31 32 32 30 30 ent.php?id=12200 020 : 38 32 38 39 31 27 25 32 30 61 6E 64 25 32 30 31 82891'%20and%201 030 : 3D 31 25 32 30 61 6E 64 25 32 30 27 27 3D 27 20 =1%20and%20''=' BTW, I read the thread you referenced. I don't think the fact that you can't catch every possible instance mitigates against writing a rule that will catch common instances of sql injection attempts. If I miss things I'm still better off than I was before, when I was missing everything. --On January 13, 2010 6:08:52 PM -0600 "Rodrigo Montoro(Sp0oKeR)" <spooker () gmail com> wrote:
Paul, I think you should read snort manual =) Table 3.8: Snort specific modifiers for pcre R Match relative to the end of the last pattern match. (Similar to distance:0;) U Match the decoded URI buffers (Similar to uricontent and http uri) P Match normalized HTTP request body (Similar to http client body) H Match normalized HTTP request header (Similar to http header) M Match normalized HTTP request method (Similar to http method) C Match normalized HTTP request cookie (Similar to http cookie) B Do not use the decoded buffers (Similar to rawbytes) O Override the configured pcre match limit for this expression (See section 2.1.3) Anyway this rules will fail with a simples and 1<2 . I tried once to write a rules but there are to many ways to write the same query take a look at this thread http://lists.emergingthreats.net/pipermail/emerging-sigs/2008-June/00069 8.html Anyway I don't thing this list is about writing new rules =) Regards, On Wed, Jan 13, 2010 at 9:52 PM, Paul Schmehl <pschmehl_lists () tx rr com> wrote:This string: %20%61%6E%64%20%31%3D%31 equals this string: ' and 1=1' after normalization. You can pick this up in a rule by using uricontent instead of content. But what do you do about PCRE? Is there a way to get PCRE to match against normalized content? Or will it only match against non-normalized content? I'm working on sql injection rules and using the following pcre: pcre:"/and\s(\d+)=\1/"; It works fine on 1=1 or 54=54, but fails on %31%3D%31, apparently because it's attempting to match against the non-normalized content. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ----------------------------------------------------------------------- ------- Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs-- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker
Paul Schmehl, If it isn't already obvious, my opinions are my own and not those of my employer. ****************************************** WARNING: Check the headers before replying ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- PCRE and normalized content Paul Schmehl (Jan 13)
- Re: PCRE and normalized content Rodrigo Montoro(Sp0oKeR) (Jan 13)
- Message not available
- Re: PCRE and normalized content Rodrigo Montoro(Sp0oKeR) (Jan 13)
- Message not available
- Re: PCRE and normalized content Paul Schmehl (Jan 13)
- Re: PCRE and normalized content Rodrigo Montoro(Sp0oKeR) (Jan 13)
- Re: PCRE and normalized content Paul Schmehl (Jan 13)
- Re: PCRE and normalized content Rodrigo Montoro(Sp0oKeR) (Jan 13)