[Snort-sigs] Generic SQL injection false positives

Guise McAllaster guise.mcallaster at ...2420...
Wed Jan 27 14:28:59 EST 2010


Matt,



Thank you again for following up on this and helping getting
improvements in place.  Your continued responses and actual actions
are much appreciated.



As far as Shlong being a emerging star (and "hard work" -- it's just
some minor PCRE changes) ... hmmmm (*thinks of someone else who could
be VRT star*).  Consider this latest revision of 13514:



alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL
generic sql update injection attempt - GET parameter";
flow:established,to_server; uricontent:"update"; nocase;
pcre:"/update\s+[^\/\\]+set\s+[^\/\\]+/Ui"; metadata:policy
security-ips drop, service http;
reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html;
classtype:web-application-attack; sid:13514; rev:7;)



This doesn't detect the classic/normal attacks.  A single space or a
'+' between 'update' and 'set' will not match the PCRE.  Examples:



/.php?user=monley';+update+set+awesome=1+where+name=guise--+

/facepalm.php?user=guise'; update set awesome=0 where name=snigel--

/bottompostsux.php?user=junkman';/**/update/**/set/**/awesome=1/**/where/**/name=ET--



The other SQL injection rule updates may suffer from the same (or
similar) PCRE shortcomings but you can check yourself.  I've already
offered my suggestion (which was not used) and I cannot in good
conscience continue to correct VRT rules for free :) but the way I see
it, if you bother cranking up the PCRE engine, you might as well take
advantage of all its powerfulness.



Seriously, thanks again for responding about these rules.  As an
indirect result of investigating it, I found a serious flaw in my
snort setup and now it is fixed and boss give Guise compliment and is
happy :)



Guise

On 1/26/10, Matt Olney <molney at ...435...> wrote:
> Thanks to the hard work of Shong, one of our emerging stars on the
> analyst team these are among the changes in this week's update:
>
> Updated rules:
> 13512 <-> SQL generic sql exec injection attempt - GET parameter
> (sql.rules, High)
> 13513 <-> SQL generic sql insert injection atttempt - GET parameter
> (sql.rules, High)
> 13514 <-> SQL generic sql update injection attempt - GET parameter
> (sql.rules, High)
> 13990 <-> SQL union select - possible sql injection attempt - GET
> parameter (sql.rules, Medium)
>
> Thanks for the heads up on these, keep letting us know if you have any
> issues.
>
> Matt
>




More information about the Snort-sigs mailing list