[Snort-users] Undetected SQL Injection
Jason.Haar at ...294...
Mon Jun 23 19:13:56 EDT 2008
Curtis LaMasters wrote:
> I am running Snort 2.7 on my firewalls and have still somehow been SQL
> injected. I have the SQL rules, MySQL rules, IIS Rules, and a few
> more but it sill did not detect. Below I have part of the IIS log
> where the injection (attempt) was done. I was hopeing someone could
> shed some light on the problem. Please let me know if I need to
> provide any additional information.
As the sample URIs you gave imply it was some sort of store, can I ask
if it was HTTPS or HTTP? If it was over HTTPS, then snort wouldn't have
been able to decipher it - as it's encrypted :-)
If you are using HTTPS, then you have to "convert" that traffic back
into an unencrypted format before any analysis can be done. e.g. reverse
proxies, Web Application Firewalls, etc.
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users