[Snort-sigs] Generic SQL injection false positives

Guise McAllaster guise.mcallaster at ...2420...
Tue Dec 22 16:19:54 EST 2009

I see a lot of false positive for generic SQL injection rules.  For example,
SID 13514 shown here:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic
sql update injection attempt"; flow:established,to_server; content:"update";
nocase; pcre:"/update[^\n]*set/i"; metadata:policy security-ips drop,
service http; reference:url,
classtype:web-application-attack; sid:13514; rev:4;)

Alas it alerts for normal traffic like this:

GET /get_updates_1/assessment/frameset_yellow.asp  HTTP/1.1

What if the pcre were changed somewhats?  Maybe like this:


A similar approach could be taken with other generic SQL injection rules
like SIDs 13512 and 13513.  Just a thought.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091222/d091eb8f/attachment.html>

More information about the Snort-sigs mailing list