[Oisf-users] rule does not always match
Vieri
rentorbuy at yahoo.com
Fri Aug 18 10:02:42 UTC 2017
Hi,
Suricata on my system is detecting SQL injection attempts with the following sid:
"signature_id":2006445,"rev":13,"signature":"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM","category":"Web Application Attack","severity":1}}
I found that some http clients are GET'ing URLs by passing "select ... from".
So this is expected.
One example would be: SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE=´BASE TABLE´
However, there are select strings that are NOT detected by this rule.
Here's an example: select tablespace_name, table_name from all_tables
Another example: SELECT tablespace_name, table_name FROM all_tables
(the rest of the URL is identical)
So I'm wondering why. Where can I look? What can I try?
The rule is:
emerging-web_server.rules:drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT\b.*FROM/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
Suricata version 3.2.1
Thanks,
Vieri
More information about the Oisf-users
mailing list