Snort mailing list archives
Re: [Emerging-Sigs] which SQL injection detection rule is best when considering performance, false-positive, real attack
From: Martin Holste <mcholste () gmail com>
Date: Wed, 1 Dec 2010 10:39:44 -0600
One thing to consider: if you're using any http preprocessor content modifiers like uricontent, then you may decide you don't want to specify ports to perform inspection on, since the http preproc has done the work already anyway. I think #1 is your best bet. #2 won't work because the URI won't be normalized (it will be encoded so the literal "+" won't be there). #3-5 could be interesting, but I don't know if the load would be more or less than the basic uricontent check. SQLi via a cookie param or POST param would be interestingly unconventional and might catch some by surprise. Injection via a raw header would also be less likely to be sanitized, but also less likely to be used as user input. On the other hand, who knows how many SQLi vulns exist in web server log stat packages? Maybe SQLi on a user-agent field could get your code in unexpected places. 2010/12/1 김무성 <kimms () infosec co kr>:
Hello list. which SQL injection detection rule or combination is best when considering performance, false-positive, real attack? 1. Alert tcp any any -> any 80 (uricontent:"+and+1";) 2. Alert tcp any any -> any 80 (content:"+and+1"; nocase;) 3. Alert tcp any any -> any 80 (content:"+and+1"; http_header; nocase;) 4. Alert tcp any any -> any 80 (content:"+and+1"; http_cookie; nocase;) 5. Alert tcp any any -> any 80 (content:"+and+1"; http_client_body; nocase;) Thanks, _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
------------------------------------------------------------------------------ What happens now with your Lotus Notes apps - do you make another costly upgrade, or settle for being marooned without product support? Time to move off Lotus Notes and onto the cloud with Force.com, apps are easier to build, use, and manage than apps on traditional platforms. Sign up for the Lotus Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- which SQL injection detection rule is best when considering performance, false-positive, real attack 김무성 (Dec 01)
- Re: [Emerging-Sigs] which SQL injection detection rule is best when considering performance, false-positive, real attack Martin Holste (Dec 07)