[Snort-sigs] Generic SQL injection false positives

Matt Olney molney at ...435...
Tue Dec 22 17:02:05 EST 2009


Guise...that one may be a little trickier...

I'm about to head out on vacation, but I'll shoot this to the VRT list and
see what they think.

Matt

On Tue, Dec 22, 2009 at 4:19 PM, Guise McAllaster <
guise.mcallaster at ...2420...> wrote:

> I see a lot of false positive for generic SQL injection rules.  For
> example, SID 13514 shown here:
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic
> sql update injection attempt"; flow:established,to_server; content:"update";
> nocase; pcre:"/update[^\n]*set/i"; metadata:policy security-ips drop,
> service http; reference:url,
> www.securiteam.com/securityreviews/5DP0N1P76E.html;
> classtype:web-application-attack; sid:13514; rev:4;)
>
> Alas it alerts for normal traffic like this:
>
> GET /get_updates_1/assessment/frameset_yellow.asp  HTTP/1.1
>
> What if the pcre were changed somewhats?  Maybe like this:
>
> pcre:"/update[^A-Z0-1_][^\n]*[^A-Z0-1_]set[^A-Z0-1_]/i";
>
> A similar approach could be taken with other generic SQL injection rules
> like SIDs 13512 and 13513.  Just a thought.
>
> Guise
>
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and
> easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091222/dabe4e11/attachment.html>


More information about the Snort-sigs mailing list