[Snort-sigs] PHP-Nuke SQL injection rule

Federico Petronio fpetronio at ...2312...
Tue Jul 20 05:55:42 EDT 2004


Hi... I just wrote this rule to prevent PHPNuke SQL injections like 
described in http://www.waraxe.us/index.php?modname=sa&id=35


drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DROP AS 
PHPNuke SQL injection attemp"; content:"/modules.php?"; 
content:"name=Search"; content:"instory="; 
classtype:web-application-attack ;sid:100011; rev:1;)


I just test it using snort-inline (2.1.2) and worked OK, it dropped the 
package, but the MySQL backend (where snort is logging) started to use a 
lot of CPU and the LA start climbing until I click "STOP" in the browser 
I was using to test the rule. This happened several times with the same 
result, LA climbing until clicking STOP. Finally I decide to not use the 
rule since I understands better the problem.

Any idea? do you think it's a rule issue or I should search in 
snort-inline config/MySQL config/etc? Until now I never have this kind 
of problem with the current config.

Thanks a lot...
-- 
                                         Federico Petronio
                                         fpetronio at ...2312...
                                         Linux User #129974

---
There are only 10 types of people in the world:
               Those who understand binary and those who don't.




More information about the Snort-sigs mailing list