[Snort-sigs] Generic SQL injection false positives

Guise McAllaster guise.mcallaster at ...2420...
Tue Dec 22 16:19:54 EST 2009


I see a lot of false positive for generic SQL injection rules.  For example,
SID 13514 shown here:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic
sql update injection attempt"; flow:established,to_server; content:"update";
nocase; pcre:"/update[^\n]*set/i"; metadata:policy security-ips drop,
service http; reference:url,
www.securiteam.com/securityreviews/5DP0N1P76E.html;
classtype:web-application-attack; sid:13514; rev:4;)

Alas it alerts for normal traffic like this:

GET /get_updates_1/assessment/frameset_yellow.asp  HTTP/1.1

What if the pcre were changed somewhats?  Maybe like this:

pcre:"/update[^A-Z0-1_][^\n]*[^A-Z0-1_]set[^A-Z0-1_]/i";

A similar approach could be taken with other generic SQL injection rules
like SIDs 13512 and 13513.  Just a thought.

Guise
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091222/d091eb8f/attachment.html>


More information about the Snort-sigs mailing list