[Snort-sigs] PCRE and normalized content

Paul Schmehl pschmehl_lists at ...3425...
Wed Jan 13 22:24:30 EST 2010


You were right.  I should have read the manual better.  I went back and 
found the section you quoted.  Don't know why I missed it previously. 
Thanks for pointing it out.

Anyway, this rule is now working quite well now:

alert tcp any any -> $HOME_NET $PORT_HTTP (msg: "SQL Injection Attempt - 
and number = same number"; content: "GET"; http_method; uricontent:"?"; 
uricontent:"="; uricontent:"and"; pcre:"/(\d+)=\1/U"; 
classtype:web-application-attack; sid:3000006; rev:9;)

It's picking up attempted sql injection attempts like this:

000 : 47 45 54 20 2F 63 61 6C 65 6E 64 61 72 2F 65 76   GET /calendar/ev
010 : 65 6E 74 2E 70 68 70 3F 69 64 3D 31 32 32 30 30   ent.php?id=12200
020 : 38 32 38 39 31 27 25 32 30 61 6E 64 25 32 30 31   82891'%20and%201
030 : 3D 31 25 32 30 61 6E 64 25 32 30 27 27 3D 27 20   =1%20and%20''='

BTW, I read the thread you referenced.  I don't think the fact that you 
can't catch every possible instance mitigates against writing a rule that 
will catch common instances of sql injection attempts.  If I miss things 
I'm still better off than I was before, when I was missing everything.

--On January 13, 2010 6:08:52 PM -0600 "Rodrigo Montoro(Sp0oKeR)" 
<spooker at ...2420...> wrote:

>
> Paul,
>
> I think you should read snort manual  =)
>
> Table 3.8: Snort specific modifiers for pcre
> R Match relative to the end of the last pattern match. (Similar to
> distance:0;)
> U Match the decoded URI buffers (Similar to uricontent and http uri)
> P Match normalized HTTP request body (Similar to http client body)
> H Match normalized HTTP request header (Similar to http header)
> M Match normalized HTTP request method (Similar to http method)
> C Match normalized HTTP request cookie (Similar to http cookie)
> B Do not use the decoded buffers (Similar to rawbytes)
> O Override the configured pcre match limit for this expression (See
> section 2.1.3)
>
> Anyway this rules will fail with a simples and 1<2 .
>
> I tried once to write a rules but there are to many ways to write the
> same query  take a look at this thread
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2008-June/00069
> 8.html
>
> Anyway I don't thing this list is about writing new rules =)
>
> Regards,
>
> On Wed, Jan 13, 2010 at 9:52 PM, Paul Schmehl <pschmehl_lists at ...3425...>
> wrote:
>> This string: %20%61%6E%64%20%31%3D%31
>> equals this string: ' and 1=1'
>> after normalization.  You can pick this up in a rule by using
>> uricontent instead of content.  But what do you do about PCRE?  Is
>> there a way to get PCRE to match against normalized content?  Or will
>> it only match against non-normalized content?
>>
>> I'm working on sql injection rules and using the following pcre:
>> pcre:"/and\s(\d+)=\1/";
>>
>> It works fine on 1=1 or 54=54, but fails on %31%3D%31, apparently
>> because it's attempting to match against the non-normalized content.
>>
>> --
>> Paul Schmehl, Senior Infosec Analyst
>> As if it wasn't already obvious, my opinions
>> are my own and not those of my employer.
>> *******************************************
>> "It is as useless to argue with those who have
>> renounced the use of reason as to administer
>> medication to the dead." Thomas Jefferson
>>
>>
>> -----------------------------------------------------------------------
>> ------- Throughout its 18-year history, RSA Conference consistently
>> attracts the world's best and brightest in the field, creating
>> opportunities for Conference attendees to learn about information
>> security's most important issues through interactions with peers,
>> luminaries and emerging and established companies.
>> http://p.sf.net/sfu/rsaconf-dev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>
>
>
> --
> Rodrigo Montoro (Sp0oKeR)
> http://www.spooker.com.br
> http://www.twitter.com/spookerlabs
> http://www.linkedin.com/in/spooker



Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
WARNING: Check the headers before replying





More information about the Snort-sigs mailing list