[Snort-sigs] Great new MS SQL Rules

Matthew Jonkman matt at ...2436...
Mon Jul 12 20:21:07 EDT 2004


Joseph Gama has submitted a boatload of MS SQL rules. There are a lot of 
them so I'm going to post them in waves to the bleeding rules so as not 
to inundate everyone.

The first round is up and in the ruleset. Future waves will go into 
Stable-Side and I'll pull a ruleset over every day or so till they're 
all in the main ruleset depending on how they go. If we don't have any 
major tweaks or falses they'll come over faster.

The url for the Stable-Side set is 
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/Stable-Side/

Many thanks Joseph. Great work.

The first round:

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE 
MS-SQL SQL Injection closing string plus line comment"; 
flow:to_server,established; content:"'|00|"; content:"-|00|-|00|"; 
reference: 
url,http.www.nextgenss.com/papers/more_advanced_sql_injection.pdf; 
reference: 
url,http.www.securitymap.net/sdm/docs/windows/mssql-checklist.html; 
nocase; classtype:attempted-user; sid:2000371; rev:1;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE 
MS-SQL SQL Injection running SQL statements line comment"; 
flow:to_server,established; content:"\;|00|"; content:"-|00|-|00|"; 
reference: 
url,http.www.nextgenss.com/papers/more_advanced_sql_injection.pdf; 
reference: 
url,http.www.securitymap.net/sdm/docs/windows/mssql-checklist.html; 
nocase; classtype:attempted-user; sid:2000372; rev:1;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE 
MS-SQL SQL Injection line comment"; flow:to_server,established; 
content:"-|00|-|00|"; reference: 
url,http.www.nextgenss.com/papers/more_advanced_sql_injection.pdf; 
reference: url,http.www.securitymap.net/sdm/docs/windows/mssql-chec
klist.html; nocase; classtype:attempted-user; sid:2000373; rev:1;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE 
MS-SQL SQL Injection trying to guess the column name"; 
flow:to_server,established; content:"'|00|"; content:"+|00|"; reference: 
url,http.www.nextgenss.com/papers/more_advanced_sql_injection.pdf; 
reference: 
url,http.www.securitymap.net/sdm/docs/windows/mssql-checklist.html; 
nocase; classtype:attempted-user; sid:2000374; rev:1;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE 
MS-SQL SQL Injection allowing empty or wrong input with an OR"; 
flow:to_server,established; content:"'|00|"; content:"O|00|R|00|"; 
reference: 
url,http.www.nextgenss.com/papers/more_advanced_sql_injection.pdf; 
reference: 
url,http.www.securitymap.net/sdm/docs/windows/mssql-checklist.html; 
nocase; classtype:attempted-user; sid:2000375; rev:1;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE 
MS-SQL SQL Injection running SQL statements NO line comment"; 
flow:to_server,established; content:"'|00|"; content:"'|00|'|00|"; 
reference: 
url,http.www.nextgenss.com/papers/more_advanced_sql_injection.pdf; 
reference: 
url,http.www.securitymap.net/sdm/docs/windows/mssql-checklist.html; 
nocase; classtype:attempted-user; sid:2000376; rev:1;)






More information about the Snort-sigs mailing list