[Snort-sigs] Detecting sql injection

Paul Schmehl pschmehl_lists at ...3425...
Wed Jan 13 14:41:03 EST 2010

I wrote a rule to detect "and 1=1".

lert tcp any any -> $HOME_NET $PORT_HTTP (msg: "SQL Injection Attempt - and 
1=1"; content: "GET"; http_method; uricontent: "and 1=1"; nocase; 
classtype:web-application-attack; sid:3000001; rev:1;)

It works.

I then wrote this rule to detect "number=same number".  It doesn't work.  I'm 
certain the problem is with the pcre, because the rule triggers without it.

alert tcp any any -> $HOME_NET $PORT_HTTP (msg: "SQL Injection Attempt - and 
number = same number"; content: "GET"; http_method; uricontent: "?"; 
uricontent:"and"; pcre:"/(\d+)=\1/"; classtype:web-application-attack; 
sid:3000006; rev:6;)

I tested the pcre against this site: http://www.regextester.com/index2.html. 
It works.  (Testing for 1=1, 20=20, 44=44, etc all result in matches.)

Any clues what the problem might be?  Does snort not do pattern set matching? 
(If so, any plans to add that?)

Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

More information about the Snort-sigs mailing list