Home page logo

snort logo Snort mailing list archives

Re: [Emerging-Sigs] which SQL injection detection rule is best when considering performance, false-positive, real attack
From: Martin Holste <mcholste () gmail com>
Date: Wed, 1 Dec 2010 10:39:44 -0600

One thing to consider: if you're using any http preprocessor content
modifiers like uricontent, then you may decide you don't want to
specify ports to perform inspection on, since the http preproc has
done the work already anyway.

I think #1 is your best bet.  #2 won't work because the URI won't be
normalized (it will be encoded so the literal "+" won't be there).
#3-5 could be interesting, but I don't know if the load would be more
or less than the basic uricontent check.  SQLi via a cookie param or
POST param would be interestingly unconventional and might catch some
by surprise.  Injection via a raw header would also be less likely to
be sanitized, but also less likely to be used as user input.  On the
other hand, who knows how many SQLi vulns exist in web server log stat
packages?  Maybe SQLi on a user-agent field could get your code in
unexpected places.

2010/12/1 김무성 <kimms () infosec co kr>:
Hello list.

which SQL injection detection rule or combination is best when considering
performance, false-positive, real attack?

1.     Alert tcp any any -> any 80 (uricontent:"+and+1";)

2.     Alert tcp any any -> any 80 (content:"+and+1"; nocase;)

3.     Alert tcp any any -> any 80 (content:"+and+1"; http_header; nocase;)

4.     Alert tcp any any -> any 80 (content:"+and+1"; http_cookie; nocase;)

5.     Alert tcp any any -> any 80 (content:"+and+1"; http_client_body;


Emerging-sigs mailing list
Emerging-sigs () emergingthreats net

Support Emerging Threats! Subscribe to Emerging Threats Pro
The ONLY place to get complete premium rulesets for Snort 2.4.0 through

What happens now with your Lotus Notes apps - do you make another costly 
upgrade, or settle for being marooned without product support? Time to move
off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
use, and manage than apps on traditional platforms. Sign up for the Lotus 
Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]