[Snort-devel] Final Year Project Custom MySQL Database Server Rules and Classifications Review

DFIRob rd.seclists at gmail.com
Tue Apr 10 18:02:25 EDT 2018

Hi Jack,

First I think you should loop in snort-users on this, since snort-devel is
really not the place for rule writing. Then Joel will jump on you saying
https://www.snort.org/faq/can-i-have-help-with-my-homework, and will be
totally right in this case.
Nonetheless ignoring this...

Second, if $EXTERNAL_NET can talk to $SQL_SERVERS, you have a problem snort
won't be able to fix. What you probably want is $HTTP_SERVERS
Third, and I'd love to have some feedback on this one, when you do
flow:to_server,established; and flags:PA; in the same rule, what does this
mean exactly? Is this possible? Do we look for all sessions that start with
a push-ack? What about the sessions that don't? And what about your TTL
flag? Do this apply to all the packets in the session?
Fourth, about your dos attacks, you probably want to track_by_src, if not
you're just tracking high usage of your application. But then again if your
$SQL_SERVERS are reachable from $EXTERNAL_NET...
Fifth, regarding sid:1000101, how is your false positive rate going? Have
you tested this on any real application?
# Tautology SQL injection rule, searches for SELECT statement in a tcp
packet and pcre parameter matches any 'n' = 'n' attempt on mysql with a
packet that has time to live of 128 (usual) with push and acknowlege flags
set in a mysql tcp packet request established to the mysql server with push
and ack flags set, main aim of this rule is to detect 'n' = 'n' queries,
works! #
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL-EXPLOIT
Potential SQL Injection detected using tautology on the MySQL server";
flow:to_server,established; pcre:"/\'[0-99]{1,}\'\s\=\s\'[0-99]{1,}\'/i";
fast_pattern:only; ttl:128; flags:PA; reference:url,
https://arxiv.org/ftp/arxiv/papers/1203/1203.3324.pdf; reference:url,
https://www.debuggex.com/cheatsheet/regex/pcre; metadata:policy
security-ips drop, service mysql; classtype:sql-injection; sid:1000101;
Best regards,

On Sun, Apr 8, 2018 at 7:50 PM, Jack Eastwood via Snort-devel <
snort-devel at lists.snort.org> wrote:

> Good Afternoon,
> I’m a final year Computer Forensics and Security student representing
> Leeds Beckett University in the UK and finalizing my final year project
> based on using Snort as an IDS to monitor an active MySQL server.
> For the basis of my project I have installed and configured Snort as an
> IDS to monitor an array of activity against a MySQL community server with a
> vulnerable application called “damn vulnerable web application” (DVWA) that
> is connected the MySQL database. I have uploaded three files in this email:
> a general MySQL rules file, a MySQL exploit rules file -where I have
> written custom made snort rules to detect an array of activity - and a
> classification configuration file which I have also written custom made
> classifications in context to my project. For each rule I have inserted
> comments explaining the function of each rule and the requirements on how
> each rule gets triggered.
> I would be thankful if anyone could review these files and provide any
> form of feedback that could enhance these rules for future research or even
> potentially be published as official Snort rules.
> If you would like any more information regarding my project, Snort or
> MySQL configuration settings or anything else that could benefit the
> reviewing process then don’t hesitate to contact me.
> Thanks you and regards
> Jack Eastwood
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180411/5188c001/attachment.html>

More information about the Snort-devel mailing list