[Snort-sigs] SQL Injection attacks with UNION kw, rule

Tod Beardsley todb at ...794...
Sun Feb 15 10:11:01 EST 2004


Joshua Write wrote:

> I don't have an environment where I can do much through testing to
> identify false-positives, but I thought I would submit this rule for
> review.  Comments welcome.

One rule I use goes the other direction -- I look for the string 
"Microsoft OLE DB Provider for ODBC" in a web site response. Hits on 
this serve a couple purposes; it lets me pick out IIS servers that have 
verbose ODBC error messages (naughty), and on those machines, lets me 
pick out broken applications, including SQL injection attempts.

-- 
"It's okay to yell 'fire' in a crowded theater
if the theater is actually on fire."
Tod Beardsley | www.planb-security.net





More information about the Snort-sigs mailing list