[Snort-sigs] SQL Injection attacks with UNION kw, rule

Joshua Wright jwright at ...2228...
Sat Feb 14 09:45:02 EST 2004

I was taking a look at some of the recent PHPNuke SQL Injection 
vulnerabilities, and I noticed that Snort wasn't detecting the use of 
the UNION keyword in uricontent.

I put this rule together:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Possible \
SQL Injection Attack"; uricontent:"union "; nocase; \
flow:to_server,established; classtype:attempted-admin; sid:10001; \

I don't have an environment where I can do much through testing to 
identify false-positives, but I thought I would submit this rule for 
review.  Comments welcome.


-Joshua Wright
jwright at ...2228...

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

More information about the Snort-sigs mailing list