[Snort-sigs] SQLi Injection Attempts

Stanwyck, Carraig - ASOC, Kansas City, MO Carraig.Stanwyck at ...4154...
Wed Oct 19 16:41:47 EDT 2016

Good Evening,

We saw a surge in injection attempts using UAs with "testitest" in them.  "testitest (test at ...4187...)" and "testitest (test at ...4188...)"

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLACKLIST User Agent (SQLi Injection / Scanning)"; flow:established,to_server; content:"testitest"; http_header; fast_pattern; reference:url,en.wikipedia.org/wiki/SQL_injection; classtype:web-application-attack; sid:123456789; rev:1;)

Carraig Stanwyck

This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161019/f887c6e0/attachment.html>

More information about the Snort-sigs mailing list