[Snort-sigs] Detecting sql injection

Paul Schmehl pschmehl_lists at ...3425...
Wed Jan 13 14:41:03 EST 2010


I wrote a rule to detect "and 1=1".

lert tcp any any -> $HOME_NET $PORT_HTTP (msg: "SQL Injection Attempt - and 
1=1"; content: "GET"; http_method; uricontent: "and 1=1"; nocase; 
classtype:web-application-attack; sid:3000001; rev:1;)

It works.

I then wrote this rule to detect "number=same number".  It doesn't work.  I'm 
certain the problem is with the pcre, because the rule triggers without it.

alert tcp any any -> $HOME_NET $PORT_HTTP (msg: "SQL Injection Attempt - and 
number = same number"; content: "GET"; http_method; uricontent: "?"; 
uricontent:"and"; pcre:"/(\d+)=\1/"; classtype:web-application-attack; 
sid:3000006; rev:6;)

I tested the pcre against this site: http://www.regextester.com/index2.html. 
It works.  (Testing for 1=1, 20=20, 44=44, etc all result in matches.)

Any clues what the problem might be?  Does snort not do pattern set matching? 
(If so, any plans to add that?)

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson





More information about the Snort-sigs mailing list