Snort mailing list archives

Re: SQL Injection

From: "Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Wed, 26 Sep 2018 13:17:03 +0000

If the IP is changing and that’s the only thing different then it could be a problem with your variable sets being set 
incorrectly.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>


From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Jeff Pratt via Snort-sigs <snort-sigs () lists 
snort org>
Reply-To: Jeff Pratt <jpratt () simplepart com>
Date: Wednesday, September 26, 2018 at 9:08 AM
To: "snort-sigs () lists snort org" <snort-sigs () lists snort org>
Subject: [Snort-sigs] SQL Injection


I am not seeing SNORT picking up union select SQL injection attempts on my WAN interface even though the rules exist to 
inspect the packets any one else seen this and how did you resolve it? I added these custom rules to try and catch them 
but one always gets through so the guy hitting us is using attempting once per ip and moving on to a different ip any 
thoughts?







alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL union select - possible sql injection attempt - GET 
parameter"; flow:to_server,established; content:"union"; fast_pattern:only; http_uri; content:"select"; nocase; 
http_uri; pcre:"/union\s+(all\s+)?select\s+/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service 
http; reference:bugtraq,14876; reference:bugtraq,21227; reference:bugtraq,22582; reference:bugtraq,24067; 
reference:cve,2005-3004; reference:cve,2006-0065; reference:cve,2006-0154; reference:cve,2006-2835; 
reference:cve,2006-6268; reference:cve,2007-1021; reference:cve,2007-2824; reference:cve,2011-1667; 
classtype:misc-attack; sid:13990; rev:25;)



alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL Suspicious SQL ansi_padding option"; 
flow:to_server,established; content:"a|00|n|00|s|00|i|00|_|00|p|00|a|00|d|00|d|00|i|00|n|00|g|00|"; 
pcre:"/s\x00e\x00t\x00(\s\x00)+a\x00n\x00s\x00i\x00_\x00p\x00a\x00d\x00d\x00i\x00n\x00g\x00(\s\x00)+o\x00f\x00f\x00/smi";
 metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2008-0106; 
reference:url,msdn.microsoft.com/en-us/library/ms187403.aspx<http://msdn.microsoft.com/en-us/library/ms187403.aspx>; 
classtype:policy-violation; sid:16075; rev:7;)



alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql insert injection attempt - GET 
parameter"; flow:to_server,established; content:"insert"; fast_pattern:only; http_uri; 
pcre:"/insert\s+into\s+[^\/\\]+/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; 
reference:cve,2012-2998; 
reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html<http://www.securiteam.com/securityreviews/5DP0N1P76E.html>;
 classtype:web-application-attack; sid:13513; rev:19;)



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL union select - possible sql injection attempt - POST 
parameter"; flow:to_server,established; content:"union"; fast_pattern:only; http_client_body; content:"select"; nocase; 
http_client_body; pcre:"/union(%20|\+)+(all(%20|\+)+)?select(%20|\+)/Pi"; metadata:policy max-detect-ips drop, policy 
security-ips drop, service http; classtype:misc-attack; sid:15874; rev:13;)



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt"; 
flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"option=com_saxumpicker"; 
fast_pattern:only; http_uri; content:"publicid="; nocase; http_uri; 
pcre:"/[?&]publicid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy 
max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7178; classtype:web-application-attack; 
sid:46338; rev:1;)



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt"; 
flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"option=com_saxumpicker"; 
fast_pattern:only; http_client_body; content:"publicid="; nocase; http_client_body; 
pcre:"/(^|&)publicid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy 
balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7178; 
classtype:web-application-attack; sid:46337; rev:1;)



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL char and sysobjects - possible sql injection recon 
attempt"; flow:to_server,established; content:"CHAR|28|"; nocase; http_uri; content:"CHAR|28|"; distance:0; nocase; 
http_uri; content:"CHAR|28|"; distance:0; nocase; http_uri; content:"[sysobjects]"; distance:0; nocase; http_uri; 
metadata:policy max-detect-ips drop, policy security-ips drop, service http; 
reference:url,isc.sans.org/diary.html?storyid=3823<http://isc.sans.org/diary.html?storyid=3823>; 
classtype:web-application-attack; sid:15584; rev:8;)



alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL Suspicious SQL ansi_padding option"; 
flow:to_server,established; content:"ansi_padding"; pcre:"/set\s+ansi_padding\s+off/smi"; metadata:policy 
max-detect-ips drop, policy security-ips drop; reference:cve,2008-0106; 
reference:url,msdn.microsoft.com/en-us/library/ms187403.aspx<http://msdn.microsoft.com/en-us/library/ms187403.aspx>; 
classtype:policy-violation; sid:16074; rev:4;)



alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql exec injection attempt - GET parameter"; 
flow:to_server,established; content:"exec"; fast_pattern:only; http_uri; pcre:"/exec\s+master/Ui"; metadata:policy 
max-detect-ips drop, policy security-ips drop, service http; 
reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html<http://www.securiteam.com/securityreviews/5DP0N1P76E.html>;
 classtype:web-application-attack; sid:13512; rev:15;)



alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql insert injection attempt - POST 
parameter"; flow:to_server,established; content:"insert "; fast_pattern:only; http_client_body; 
pcre:"/insert\s+into\s+[^\/\\]+/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; 
reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html<http://www.securiteam.com/securityreviews/5DP0N1P76E.html>;
 classtype:web-application-attack; sid:15875; rev:12;)



alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql update injection attempt - GET 
parameter"; flow:to_server,established; content:"update"; fast_pattern:only; http_uri; 
pcre:"/update\s+[^\/\\]+set\s+[^\/\\]+/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service 
http; 
reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html<http://www.securiteam.com/securityreviews/5DP0N1P76E.html>;
 classtype:web-application-attack; sid:13514; rev:17;)



alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql exec injection attempt - POST 
parameter"; flow:to_server,established; content:"exec "; fast_pattern; nocase; http_client_body; content:"master "; 
nocase; http_client_body; pcre:"/exec\s+master/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, 
service http; 
reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html<http://www.securiteam.com/securityreviews/5DP0N1P76E.html>;
 classtype:web-application-attack; sid:15877; rev:9;)



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL union select - possible sql injection attempt - POST 
parameter"; flow:to_server,established; content:"union"; fast_pattern:only; http_client_body; content:"select"; 
http_client_body; content:"union select";nocase; http_client_body; 
pcre:"/union(%20|\+)+(all(%20|\+)+)?select(%20|\+)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, 
service http; classtype:misc-attack; sid:15874; rev:13;)



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic convert injection attempt - GET parameter"; 
flow:to_server,established; content:"convert|28|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, 
policy security-ips drop, ruleset community, service http; 
reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html<http://www.securiteam.com/securityreviews/5DP0N1P76E.html>;
 classtype:web-application-attack; sid:26925; rev:2;)



JEFF PRATT

Director Of Networking And Security

E.     jpratt () simplepart com

O.     (404)620-9764 ext.120

C.     (678)572-9679

[SimplePart]<http://simplepart.com/>

simplepart.com<http://simplepart.com/>

84 Walton Street NW, Suite 400 | Atlanta, GA 30303



This message (including any attachments) is only for the use of the person(s) for whom it is intended. It may contain 
SimplePart confidential, proprietary and/or trade secret information. If you are not the intended recipient, you should 
not copy, distribute or use this information for any purpose, and you should delete this message and inform the sender 
immediately.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

SQL Injection Jeff Pratt via Snort-sigs (Sep 26)
- Re: SQL Injection Al Lewis (allewi) via Snort-sigs (Sep 26)
- <Possible follow-ups>
- SQl Injection Jeff Pratt via Snort-users (Sep 26)