Re: [tool] Guardian () JUMPERZ NET : Rule Database is now available

[Kanatoko <anvil () jumperz net>]

Hello Steven,

> For example, the following will be bypassed by the filter *and* will
> execute.
>
> SE/**/LECT * FRO/**/M table;

You are totally right. There are a limitation on detecting SQL injection
attacks by using signature based systems. I have read the paper "SQL
Injection Signature Evasion" by Imperva.com(1), and agree with it's
conclusion,
"Signature protection against SQL Injection is simply not enough.".

But I also think that simple and generic rules will be some help to
detect attacks.

Now I research real time log analysis to detect SQL injection attacks
because this attack tends to generate a lot of HTTP traffic.

Thanks

(1)http://www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html

-- 
Kanatoko<anvil () jumperz net>
http://www.jumperz.net/
irc.friend.td.nu:6667 #ouroboros


On Sat, 11 Sep 2004 14:16:58 +0530
<stevenr () mastek com> wrote:

> Hi Kanatoko
>
> Good work, the rules set is pretty useful.
>
> There was one suggestion, with respect to the rules for SQL injection
> where you are checking for certain SQL keywords. In my experience, these
> checks for blacklist SQL strings arent always foolproof.
>
> For example, the following will be bypassed by the filter *and* will
> execute.
>
> SE/**/LECT * FRO/**/M table;
>
> Just thought I would share about this particular type of SQL attack
> signature.
>
>
> Regards, 
> Steven Rebello
> Technology Cell,
> Mastek Limited
> "This email is printed using 100% recycled electrons." 
>
>
> -----Original Message-----
> From: Kanatoko [mailto:anvil () jumperz net] 
> Sent: Wednesday, September 01, 2004 11:54 AM
> To: webappsec () securityfocus com
> Subject: [tool] Guardian () JUMPERZ NET : Rule Database is now available
>
> Hi list,
>
> Guardian () JUMPERZ NET is an open source web application firewall.
> It is available at http://guardian.jumperz.net/
>
> Rule database is now avaialbe at:
> http://guardian.jumperz.net/index.html?i=004
>
> Examples:
>
>   - x86 NOP sled detection:
>     http://guardian.jumperz.net/index.html?i=006&id=GID4
>
>   - NULL detection:
>     http://guardian.jumperz.net/index.html?i=006&id=GID11
>
>  - Buffer overflow detection:
>     http://guardian.jumperz.net/index.html?i=006&id=GID9
>
>  - Directory(Path) traversal detection:
>     http://guardian.jumperz.net/index.html?i=006&id=GID18
>
>  - SQL injection detection:
>     http://guardian.jumperz.net/index.html?i=006&id=GID44
>
>  - XSS detection:
>     http://guardian.jumperz.net/index.html?i=006&id=GID38
>
> Thanks
>
> Kanatoko<anvil () jumperz net>
> http://www.jumperz.net/
> irc.friend.td.nu:6667 #ouroboros
>
>
>
>
> MASTEK
> "Making a valuable difference"
> Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
> In the US, we're called MAJESCO
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically 
> indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and 
> attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended 
> person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of 
> any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. 
> This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of 
> the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail 
> in error, kindly delete this e-mail from all computers.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~