[Snort-sigs] BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong input with an OR
matt at ...2436...
Tue Jul 13 06:39:00 EDT 2004
Getting a lot of false positives with this rule. It'll be commented out
in the bleeding set for the time being.
Here's the rule. Ideas welcome:
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE
MS-SQL SQL Injection allowing empty or wrong input with an OR";
flow:to_server,established; content:"'|00|"; content:"O|00|R|00|";
nocase; classtype:attempted-user; sid:2000375; rev:1;)
Joseph, would a within be appropriate between the 2 contents? Or look
for a space before and after the OR? A lot of the falses I'm seeing are
from table names with an OR in them, such as ORGANIZATION, ORGAMOUNT,
etc. I don't know enough about what you're trying to catch to make a
More information about the Snort-sigs