[Snort-users] Undetected SQL Injection

Jason Haar Jason.Haar at ...294...
Mon Jun 23 19:13:56 EDT 2008

Curtis LaMasters wrote:
> I am running Snort 2.7 on my firewalls and have still somehow been SQL 
> injected.  I have the SQL rules, MySQL rules, IIS Rules, and a few 
> more but it sill did not detect.  Below I have part of the IIS log 
> where the injection (attempt) was done. I was hopeing someone could 
> shed some light on the problem. Please let me know if I need to 
> provide any additional information.

As the sample URIs you gave imply it was some sort of store, can I ask 
if it was HTTPS or HTTP? If it was over HTTPS, then snort wouldn't have 
been able to decipher it - as it's encrypted :-)

If you are using HTTPS, then you have to "convert" that traffic back 
into an unencrypted format before any analysis can be done. e.g. reverse 
proxies, Web Application Firewalls, etc.


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list