[Snort-users] Snort -Problem with rule -

younes.abderrahmane31 at ...11827... younes.abderrahmane31 at ...11827...
Fri Apr 28 21:05:37 EDT 2017


Hello everyone 
I am trying to test SQLI with a snort
I have two machines:
1- Where I installedSNORT, and the application dvwa (to test sql injection)
2- The machine which is going to make the attack Sqli injection on the dvwa application 

So in the first machine I added this rule (in local.rule), To detect Sqli
(https://www.linkedin.com/pulse/detecting-sql-injections-real-time-mission-impossible-val-smirnov) 
************************************************************
alert tcp any any -> any any (msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; content:"1%3D1"; fast_pattern:only; http_client_body; pcre:"/or\++1%3D1/Pi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:10000002; rev:002;)
**************************************************************

And after the test
sudo snort -T -c /etc/snort/snort.conf -i eth0
sudo snort -A console -c /etc/snort/snort.conf -i eth0
Snort detect nothing (for  exemple ‘1or1=1#)

But when I deleted the part pcre of the rule, snort detect it 
**********************************************************************************************
alert tcp any any -> any any (msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; content:"1%3D1"; sid:10000002; rev:002;)
***********************************************************************************************


Someone can help me, why the first rule does not work  (pcre )
Thank's.


Sent from Mail for Windows 10



More information about the Snort-users mailing list