Re: [Emerging-Sigs] which SQL injection detection rule is best when considering performance, false-positive, real attack

[Martin Holste <mcholste () gmail com>]

One thing to consider: if you're using any http preprocessor content
modifiers like uricontent, then you may decide you don't want to
specify ports to perform inspection on, since the http preproc has
done the work already anyway.

I think #1 is your best bet.  #2 won't work because the URI won't be
normalized (it will be encoded so the literal "+" won't be there).
#3-5 could be interesting, but I don't know if the load would be more
or less than the basic uricontent check.  SQLi via a cookie param or
POST param would be interestingly unconventional and might catch some
by surprise.  Injection via a raw header would also be less likely to
be sanitized, but also less likely to be used as user input.  On the
other hand, who knows how many SQLi vulns exist in web server log stat
packages?  Maybe SQLi on a user-agent field could get your code in
unexpected places.

2010/12/1 김무성 <kimms () infosec co kr>:
> Hello list.
>
>
>
> which SQL injection detection rule or combination is best when considering
> performance, false-positive, real attack?
>
>
>
> 1.     Alert tcp any any -> any 80 (uricontent:"+and+1";)
>
> 2.     Alert tcp any any -> any 80 (content:"+and+1"; nocase;)
>
> 3.     Alert tcp any any -> any 80 (content:"+and+1"; http_header; nocase;)
>
> 4.     Alert tcp any any -> any 80 (content:"+and+1"; http_cookie; nocase;)
>
> 5.     Alert tcp any any -> any 80 (content:"+and+1"; http_client_body;
> nocase;)
>
>
>
> Thanks,
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () emergingthreats net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!

------------------------------------------------------------------------------
What happens now with your Lotus Notes apps - do you make another costly 
upgrade, or settle for being marooned without product support? Time to move
off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
use, and manage than apps on traditional platforms. Sign up for the Lotus 
Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users