[Snort-sigs] BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong input with an OR

Matthew Jonkman matt at ...2436...
Tue Jul 13 06:39:00 EDT 2004


Getting a lot of false positives with this rule. It'll be commented out 
in the bleeding set for the time being.

Here's the rule. Ideas welcome:

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE 
MS-SQL SQL Injection allowing empty or wrong input with an OR"; 
flow:to_server,established; content:"'|00|"; content:"O|00|R|00|"; 
reference: 
url,http.www.nextgenss.com/papers/more_advanced_sql_injection.pdf; 
reference: 
url,http.www.securitymap.net/sdm/docs/windows/mssql-checklist.html; 
nocase; classtype:attempted-user; sid:2000375; rev:1;)

Joseph, would a within be appropriate between the 2 contents? Or look 
for a space before and after the OR? A lot of the falses I'm seeing are 
from table names with an OR in them, such as ORGANIZATION, ORGAMOUNT, 
etc. I don't know enough about what you're trying to catch to make a 
modification though.

Thanks

Matt




More information about the Snort-sigs mailing list