[Snort-sigs] PHP-Nuke SQL injection rule

Federico Petronio petrus at ...2312...
Mon Jul 19 08:33:01 EDT 2004


Hi... I just wrote this rule to prevent PHPNuke SQL injections like
described in http://www.waraxe.us/index.php?modname=sa&id=35


drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DROP AS
PHPNuke SQL injection attemp"; content:"/modules.php?";
content:"name=Search"; content:"instory=";
classtype:web-application-attack ;sid:100011; rev:1;)


I just test it using snort-inline (2.1.2) and worked OK, it dropped the
package, but the MySQL backend (where snort is logging) started to use a
lot of CPU and the LA start climbing until I click "STOP" in the browser
I was using to test the rule. This happened several times with the same
result, LA climbing until clicking STOP. Finally I decide to not use the
rule since I understands better the problem.

Any idea? do you think it's a rule issue or I should search in
snort-inline config/MySQL config/etc? Until now I never have this kind
of problem with the current config.

Thanks a lot...
-- 
                                         Federico Petronio
                                         petrus at ...2312...




More information about the Snort-sigs mailing list