[Snort-sigs] SQL Injection attacks with UNION kw, rule

Tod Beardsley todb at ...794...
Sun Feb 15 10:11:01 EST 2004

Joshua Write wrote:

> I don't have an environment where I can do much through testing to
> identify false-positives, but I thought I would submit this rule for
> review.  Comments welcome.

One rule I use goes the other direction -- I look for the string 
"Microsoft OLE DB Provider for ODBC" in a web site response. Hits on 
this serve a couple purposes; it lets me pick out IIS servers that have 
verbose ODBC error messages (naughty), and on those machines, lets me 
pick out broken applications, including SQL injection attempts.

"It's okay to yell 'fire' in a crowded theater
if the theater is actually on fire."
Tod Beardsley | www.planb-security.net

More information about the Snort-sigs mailing list