Snort mailing list archives

which SQL injection detection rule is best when considering performance, false-positive, real attack

From: 김무성 <kimms () infosec co kr>
Date: Wed, 1 Dec 2010 17:31:25 +0900

Hello list.

 

which SQL injection detection rule or combination is best when considering
performance, false-positive, real attack?

 

1.     Alert tcp any any -> any 80 (uricontent:”+and+1”;)

2.     Alert tcp any any -> any 80 (content:”+and+1”; nocase;) 

3.     Alert tcp any any -> any 80 (content:”+and+1”; http_header;
nocase;)

4.     Alert tcp any any -> any 80 (content:”+and+1”; http_cookie;
nocase;)

5.     Alert tcp any any -> any 80 (content:”+and+1”; http_client_body;
nocase;)

 

Thanks,

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

which SQL injection detection rule is best when considering performance, false-positive, real attack 김무성 (Dec 01)
- Re: [Emerging-Sigs] which SQL injection detection rule is best when considering performance, false-positive, real attack Martin Holste (Dec 07)