[Oisf-users] rule does not always match

Peter Manev petermanev at gmail.com
Fri Aug 18 16:45:29 UTC 2017


On Fri, Aug 18, 2017 at 11:02 AM, Vieri <rentorbuy at yahoo.com> wrote:
> Hi,
>
> Suricata on my system is detecting SQL injection attempts with the following sid:
>
> "signature_id":2006445,"rev":13,"signature":"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM","category":"Web Application Attack","severity":1}}
>
> I found that some http clients are GET'ing URLs by passing "select ... from".
>
> So this is expected.
> One example would be: SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE=´BASE TABLE´
>
> However, there are select strings that are NOT detected by this rule.
> Here's an example: select tablespace_name, table_name from all_tables
> Another example: SELECT tablespace_name, table_name FROM all_tables
>
> (the rest of the URL is identical)
>
> So I'm wondering why. Where can I look? What can I try?
>
> The rule is:
> emerging-web_server.rules:drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT\b.*FROM/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
>
> Suricata version 3.2.1
>

Please consider upgrading to latst stable and confirm.
Do you have a reproducible pcap you can share?




-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list