[Snort-sigs] Generic SQL injection false positives
pschmehl_lists at ...3425...
Mon Dec 28 17:09:47 EST 2009
No, I got my delimiters reversed. It should be /^update$/ and /^set$/.
Sorry for the confusion.
I don't think you'd want to use "m" because then you force the content
match to be at the very beginning or end of the buffer or immediately
before a newline.
--On December 28, 2009 4:46:28 PM -0500 Alex Kirk <akirk at ...435...>
> Let me ask a quick clarifying question here. As I understand my PCRE,
> "$" means "end-of-buffer" (if you've specified the "m" option, or just
> "end-of-line" otherwise), and "^" outside of a character class means
> "start-of-buffer" (or line, depending on the use of "m"). Thus,
> "/$update^/i" would never actually match anything, since the end can't
> come before the beginning.
> Were you trying to work some other PCRE magic I'm unfamiliar with? Or
> should I just read your verbal description and instead try, say,
> On Mon, Dec 28, 2009 at 4:30 PM, Paul Schmehl <pschmehl_lists at ...3425...>
> --On December 28, 2009 12:10:37 PM -0600 Matt Olney
> <molney at ...435...> wrote:
>> I see a lot of false positive for generic SQL injection rules. For
>> example, SID 13514 shown here:
>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL
>> generic sql update injection attempt"; flow:established,to_server;
>> content:"update"; nocase; pcre:"/update[^\n]*set/i"; metadata:policy
>> security-ips drop, service http;
>> classtype:web-application-attack; sid:13514; rev:4;)
>> Alas it alerts for normal traffic like this:
>> GET /get_updates_1/assessment/frameset_yellow.asp HTTP/1.1
> I don't see how a sql injection attempt is going to begin with any
> character other than a space preceding it. How would the sql engine be
> able to parse that? ISTM that the update could simply be anchored on
> sides; e.g pcre:"$update^/i"; For update to work, the only thing that
> be on either side of it is a non-alpha character or a single quote, which
> the sql parser will discard. If you want to include set (which makes
> sense), I would make it a separate detection. A typical update
> would be UPDATE table SET blah='foo' where blah='bar' or blah like
> Something like this would be better, in my opinion.
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL
> sql update injection attempt"; flow:established,to_server;
> content:"update"; nocase; pcre:"/$update^/i"; content:"set"; nocase;
> pcre:"/$set^/i"; metadata:policy security-ips drop, service http;
> classtype:web-application-attack; sid:13514; rev:5;)
> Mind you, I haven't tested it, but it would certainly eliminate the false
> positive given in the example.
> Paul Schmehl, If it isn't already
> obvious, my opinions are my own
> and not those of my employer.
> WARNING: Check the headers before replying
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and
> Join now and get one step closer to millions of Verizon customers
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
WARNING: Check the headers before replying
More information about the Snort-sigs