[Oisf-users] rule does not always match

Vieri rentorbuy at yahoo.com
Fri Aug 18 10:02:42 UTC 2017


Hi,

Suricata on my system is detecting SQL injection attempts with the following sid:

"signature_id":2006445,"rev":13,"signature":"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM","category":"Web Application Attack","severity":1}}

I found that some http clients are GET'ing URLs by passing "select ... from".

So this is expected.
One example would be: SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE=┬┤BASE TABLE┬┤

However, there are select strings that are NOT detected by this rule. 
Here's an example: select tablespace_name, table_name from all_tables
Another example: SELECT tablespace_name, table_name FROM all_tables

(the rest of the URL is identical)

So I'm wondering why. Where can I look? What can I try?

The rule is:
emerging-web_server.rules:drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT\b.*FROM/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

Suricata version 3.2.1

Thanks,

Vieri


More information about the Oisf-users mailing list