Snort mailing list archives

SQl Injection

From: Jeff Pratt via Snort-users <snort-users () lists snort org>
Date: Wed, 26 Sep 2018 09:04:13 -0400

I am not seeing SNORT picking up union select SQL injection attempts on my
WAN interface even though the rules exist to inspect the packets any one
else seen this and how did you resolve it? I added these custom rules to
try and catch them but one always gets through so the guy hitting us is
using attempting once per ip and moving on to a different ip any thoughts?







alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL union select
- possible sql injection attempt - GET parameter";
flow:to_server,established; content:"union"; fast_pattern:only; http_uri;
content:"select"; nocase; http_uri; pcre:"/union\s+(all\s+)?select\s+/Ui";
metadata:policy max-detect-ips drop, policy security-ips drop, service
http; reference:bugtraq,14876; reference:bugtraq,21227;
reference:bugtraq,22582; reference:bugtraq,24067; reference:cve,2005-3004;
reference:cve,2006-0065; reference:cve,2006-0154; reference:cve,2006-2835;
reference:cve,2006-6268; reference:cve,2007-1021; reference:cve,2007-2824;
reference:cve,2011-1667; classtype:misc-attack; sid:13990; rev:25;)



alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL Suspicious SQL
ansi_padding option"; flow:to_server,established;
content:"a|00|n|00|s|00|i|00|_|00|p|00|a|00|d|00|d|00|i|00|n|00|g|00|";
pcre:"/s\x00e\x00t\x00(\s\x00)+a\x00n\x00s\x00i\x00_\x00p\x00a\x00d\x00d\x00i\x00n\x00g\x00(\s\x00)+o\x00f\x00f\x00/smi";
metadata:policy max-detect-ips drop, policy security-ips drop;
reference:cve,2008-0106; reference:url,
msdn.microsoft.com/en-us/library/ms187403.aspx; classtype:policy-violation;
sid:16075; rev:7;)



alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic
sql insert injection attempt - GET parameter"; flow:to_server,established;
content:"insert"; fast_pattern:only; http_uri;
pcre:"/insert\s+into\s+[^\/\\]+/Ui"; metadata:policy max-detect-ips drop,
policy security-ips drop, service http; reference:cve,2012-2998;
reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html;
classtype:web-application-attack; sid:13513; rev:19;)



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL union select
- possible sql injection attempt - POST parameter";
flow:to_server,established; content:"union"; fast_pattern:only;
http_client_body; content:"select"; nocase; http_client_body;
pcre:"/union(%20|\+)+(all(%20|\+)+)?select(%20|\+)/Pi"; metadata:policy
max-detect-ips drop, policy security-ips drop, service http;
classtype:misc-attack; sid:15874; rev:13;)



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
Joomla Saxum Picker SQL injection attempt"; flow:to_server,established;
content:"/index.php"; nocase; http_uri; content:"option=com_saxumpicker";
fast_pattern:only; http_uri; content:"publicid="; nocase; http_uri;
pcre:"/[?&]publicid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui";
metadata:policy balanced-ips drop, policy max-detect-ips drop, policy
security-ips drop, service http; reference:cve,2018-7178;
classtype:web-application-attack; sid:46338; rev:1;)



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
Joomla Saxum Picker SQL injection attempt"; flow:to_server,established;
content:"/index.php"; nocase; http_uri; content:"option=com_saxumpicker";
fast_pattern:only; http_client_body; content:"publicid="; nocase;
http_client_body;
pcre:"/(^|&)publicid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim";
metadata:policy balanced-ips drop, policy max-detect-ips drop, policy
security-ips drop, service http; reference:cve,2018-7178;
classtype:web-application-attack; sid:46337; rev:1;)



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL char and
sysobjects - possible sql injection recon attempt";
flow:to_server,established; content:"CHAR|28|"; nocase; http_uri;
content:"CHAR|28|"; distance:0; nocase; http_uri; content:"CHAR|28|";
distance:0; nocase; http_uri; content:"[sysobjects]"; distance:0; nocase;
http_uri; metadata:policy max-detect-ips drop, policy security-ips drop,
service http; reference:url,isc.sans.org/diary.html?storyid=3823;
classtype:web-application-attack; sid:15584; rev:8;)



alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL Suspicious SQL
ansi_padding option"; flow:to_server,established; content:"ansi_padding";
pcre:"/set\s+ansi_padding\s+off/smi"; metadata:policy max-detect-ips drop,
policy security-ips drop; reference:cve,2008-0106; reference:url,
msdn.microsoft.com/en-us/library/ms187403.aspx; classtype:policy-violation;
sid:16074; rev:4;)



alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic
sql exec injection attempt - GET parameter"; flow:to_server,established;
content:"exec"; fast_pattern:only; http_uri; pcre:"/exec\s+master/Ui";
metadata:policy max-detect-ips drop, policy security-ips drop, service
http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html;
classtype:web-application-attack; sid:13512; rev:15;)



alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic
sql insert injection attempt - POST parameter"; flow:to_server,established;
content:"insert "; fast_pattern:only; http_client_body;
pcre:"/insert\s+into\s+[^\/\\]+/Pi"; metadata:policy max-detect-ips drop,
policy security-ips drop, service http; reference:url,
www.securiteam.com/securityreviews/5DP0N1P76E.html;
classtype:web-application-attack; sid:15875; rev:12;)



alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic
sql update injection attempt - GET parameter"; flow:to_server,established;
content:"update"; fast_pattern:only; http_uri;
pcre:"/update\s+[^\/\\]+set\s+[^\/\\]+/Ui"; metadata:policy max-detect-ips
drop, policy security-ips drop, service http; reference:url,
www.securiteam.com/securityreviews/5DP0N1P76E.html;
classtype:web-application-attack; sid:13514; rev:17;)



alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic
sql exec injection attempt - POST parameter"; flow:to_server,established;
content:"exec "; fast_pattern; nocase; http_client_body; content:"master ";
nocase; http_client_body; pcre:"/exec\s+master/Pi"; metadata:policy
max-detect-ips drop, policy security-ips drop, service http; reference:url,
www.securiteam.com/securityreviews/5DP0N1P76E.html;
classtype:web-application-attack; sid:15877; rev:9;)



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL union select
- possible sql injection attempt - POST parameter";
flow:to_server,established; content:"union"; fast_pattern:only;
http_client_body; content:"select"; http_client_body; content:"union
select";nocase; http_client_body;
pcre:"/union(%20|\+)+(all(%20|\+)+)?select(%20|\+)/Pi"; metadata:policy
max-detect-ips drop, policy security-ips drop, service http;
classtype:misc-attack; sid:15874; rev:13;)



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic
convert injection attempt - GET parameter"; flow:to_server,established;
content:"convert|28|"; fast_pattern:only; http_uri; metadata:policy
max-detect-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html;
classtype:web-application-attack; sid:26925; rev:2;)



JEFF PRATT

Director Of Networking And Security

E.     jpratt () simplepart com

O.     (404)620-9764 ext.120

C.     (678)572-9679


[image: SimplePart] <http://simplepart.com/>

simplepart.com

84 Walton Street NW, Suite 400 | Atlanta, GA 30303


This message (including any attachments) is only for the use of the
person(s) for whom it is intended. It may contain SimplePart confidential,
proprietary and/or trade secret information. If you are not the intended
recipient, you should not copy, distribute or use this information for any
purpose, and you should delete this message and inform the sender
immediately.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

SQL Injection Jeff Pratt via Snort-sigs (Sep 26)
- Re: SQL Injection Al Lewis (allewi) via Snort-sigs (Sep 26)
- <Possible follow-ups>
- SQl Injection Jeff Pratt via Snort-users (Sep 26)