[Snort-sigs] SQL Injection attacks with UNION kw, rule
todb at ...794...
Sun Feb 15 10:11:01 EST 2004
Joshua Write wrote:
> I don't have an environment where I can do much through testing to
> identify false-positives, but I thought I would submit this rule for
> review. Comments welcome.
One rule I use goes the other direction -- I look for the string
"Microsoft OLE DB Provider for ODBC" in a web site response. Hits on
this serve a couple purposes; it lets me pick out IIS servers that have
verbose ODBC error messages (naughty), and on those machines, lets me
pick out broken applications, including SQL injection attempts.
"It's okay to yell 'fire' in a crowded theater
if the theater is actually on fire."
Tod Beardsley | www.planb-security.net
More information about the Snort-sigs