Snort mailing list archives
Detecting sql injection
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Wed, 13 Jan 2010 13:41:03 -0600
I wrote a rule to detect "and 1=1". lert tcp any any -> $HOME_NET $PORT_HTTP (msg: "SQL Injection Attempt - and 1=1"; content: "GET"; http_method; uricontent: "and 1=1"; nocase; classtype:web-application-attack; sid:3000001; rev:1;) It works. I then wrote this rule to detect "number=same number". It doesn't work. I'm certain the problem is with the pcre, because the rule triggers without it. alert tcp any any -> $HOME_NET $PORT_HTTP (msg: "SQL Injection Attempt - and number = same number"; content: "GET"; http_method; uricontent: "?"; uricontent:"and"; pcre:"/(\d+)=\1/"; classtype:web-application-attack; sid:3000006; rev:6;) I tested the pcre against this site: http://www.regextester.com/index2.html. It works. (Testing for 1=1, 20=20, 44=44, etc all result in matches.) Any clues what the problem might be? Does snort not do pattern set matching? (If so, any plans to add that?) -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Detecting sql injection Paul Schmehl (Jan 13)