[Snort-sigs] Generic SQL injection false positives

Matt Olney molney at ...435...
Tue Dec 29 16:15:41 EST 2009


Morning exploded, but I wanted to put out some normalization data (see below
for test output):

1)  We normalize %20 to a space
2)  We normalize %3d into a =
3)  We do not normalize /**/ (or /* */)
4)  We do not normalize +
5)  We do not normalize ++

Remember, the normalization that occurs in the URI is for HTTP data
normalization (%20, ../../../, etc...) not for database normalization.  So
to handle these cases, we'd have to do some PCRE, or write an SO rule.  I'm
not done looking over all this, but I thought you might be interested in the
data.

Matt

******  BUFFER INFORMATION  ******
[RAW BUFFER DATA (0xab9b948)]:
47 45 54 20 2f 63 67 69 2d 62 69 6e 2f 62 61 64     GET /cgi-bin/bad
73 74 6f 72 65 2e 63 67 69 3f 73 65 61 72 63 68     store.cgi?search
71 75 65 72 79 3d 6a 6f 65 27 2b 4f 52 2b 31 25     query=joe'+OR+1%
33 44 31 2b 4f 52 2b 27 6d 61 72 79 26 61 63 74     3D1+OR+'mary&act
69 6f 6e 3d 73 65 61 72 63 68 26 78 3d 30 26 79     ion=search&x=0&y
3d 30 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73     =0 HTTP/1.1..Hos


[HTTP_URI BUFFER DATA (0x8ab9aa0)]:
/cgi-bin/badstore.cgi?searchquery=joe'+OR+1=1+OR+'mary&action=search&x=0&y=0

/**/ comment in the middle:

******  BUFFER INFORMATION  ******
[RAW BUFFER DATA (0x9b92948)]:
47 45 54 20 2f 63 67 69 2d 62 69 6e 2f 62 61 64     GET /cgi-bin/bad
73 74 6f 72 65 2e 63 67 69 3f 73 65 61 72 63 68     store.cgi?search
71 75 65 72 79 3d 6a 6f 65 27 2b 4f 52 2b 31 25     query=joe'+OR+1%
33 44 31 2b 4f 52 2b 2f 2a 2a 2f 27 6d 61 72 79     3D1+OR+/**/'mary
26 61 63 74 69 6f 6e 3d 73 65 61 72 63 68 26 78     &action=search&x
3d 30 26 79 3d 30 20 48 54 54 50 2f 31 2e 31 0d     =0&y=0 HTTP/1.1.

[HTTP_URI BUFFER DATA (0x8ab9aa0)]:
/cgi-bin/badstore.cgi?searchquery=joe'+OR+1=1+OR+/**/'mary&action=search&x=0&y=0

Percent 20 in the middle of the comment:

******  BUFFER INFORMATION  ******
[RAW BUFFER DATA (0xa5ff948)]:
47 45 54 20 2f 63 67 69 2d 62 69 6e 2f 62 61 64     GET /cgi-bin/bad
73 74 6f 72 65 2e 63 67 69 3f 73 65 61 72 63 68     store.cgi?search
71 75 65 72 79 3d 6a 6f 65 27 2b 4f 52 2b 31 25     query=joe'+OR+1%
33 44 31 2b 4f 52 2b 2f 2a 25 32 30 2a 2f 27 6d     3D1+OR+/*%20*/'m
61 72 79 26 61 63 74 69 6f 6e 3d 73 65 61 72 63     ary&action=searc
68 26 78 3d 30 26 79 3d 30 20 48 54 54 50 2f 31     h&x=0&y=0 HTTP/1
2e 31 0d 0a 48 6f 73 74 3a 20 31 30 2e 34 2e 31     .1..Host: 10.4.1

[HTTP_URI BUFFER DATA (0x8ab9aa0)]:
/cgi-bin/badstore.cgi?searchquery=joe'+OR+1=1+OR+/*
*/'mary&action=search&x=0&y=0

******  BUFFER INFORMATION  ******
[RAW BUFFER DATA (0x9eca948)]:
47 45 54 20 2f 63 67 69 2d 62 69 6e 2f 62 61 64     GET /cgi-bin/bad
73 74 6f 72 65 2e 63 67 69 3f 73 65 61 72 63 68     store.cgi?search
71 75 65 72 79 3d 6a 6f 65 27 2b 4f 52 2b 2b 31     query=joe'+OR++1
25 33 44 31 2b 4f 52 2b 2f 2a 25 32 30 2a 2f 27     %3D1+OR+/*%20*/'
6d 61 72 79 26 61 63 74 69 6f 6e 3d 73 65 61 72     mary&action=sear
63 68 26 78 3d 30 26 79 3d 30 20 48 54 54 50 2f     ch&x=0&y=0 HTTP/
31 2e 31 0d 0a 48 6f 73 74 3a 20 31 30 2e 34 2e     1.1..Host: 10.4.

[HTTP_URI BUFFER DATA (0x8ab9aa0)]:
/cgi-bin/badstore.cgi?searchquery=joe'+OR++1=1+OR+/*
*/'mary&action=search&x=0&y=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091229/a9e2ce0c/attachment.html>


More information about the Snort-sigs mailing list