[Snort-sigs] Generic SQL injection false positives

Paul Schmehl pschmehl_lists at ...3425...
Mon Dec 28 16:30:20 EST 2009


--On December 28, 2009 12:10:37 PM -0600 Matt Olney 
<molney at ...435...> wrote:

> I see a lot of false positive for generic SQL injection rules.  For
> example, SID 13514 shown here:
>  
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL
> generic sql update injection attempt"; flow:established,to_server;
> content:"update"; nocase; pcre:"/update[^\n]*set/i"; metadata:policy
> security-ips drop, service http;
> reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html;
> classtype:web-application-attack; sid:13514; rev:4;)
>  
> Alas it alerts for normal traffic like this:
>  
> GET /get_updates_1/assessment/frameset_yellow.asp  HTTP/1.1

I don't see how a sql injection attempt is going to begin with any 
character other than a space preceding it.  How would the sql engine be 
able to parse that?  ISTM that the update could simply be anchored on both 
sides; e.g pcre:"$update^/i";  For update to work, the only thing that can 
be on either side of it is a non-alpha character or a single quote, which 
the sql parser will discard.  If you want to include set (which makes 
sense), I would make it a separate detection.  A typical update statement 
would be UPDATE table SET blah='foo' where blah='bar' or blah like '%doo%';

Something like this would be better, in my opinion.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic 
sql update injection attempt"; flow:established,to_server; 
content:"update"; nocase; pcre:"/$update^/i"; content:"set"; nocase; 
pcre:"/$set^/i"; metadata:policy security-ips drop, service http; 
reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; 
classtype:web-application-attack; sid:13514; rev:5;)

Mind you, I haven't tested it, but it would certainly eliminate the false 
positive given in the example.

Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
WARNING: Check the headers before replying





More information about the Snort-sigs mailing list