alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT\b.*FROM/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

Added 2017-08-07 20:59:38 UTC


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT\b.*FROM/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:13;)

Added 2014-08-21 18:10:23 UTC


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT[^\b].*FROM/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:12;)

Added 2014-08-19 16:22:04 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:10;)

Added 2011-10-12 19:20:44 UTC

I recommend changing the pcre phrase to "/SELECT[^\w].*FROM/Ui". Adding the [^\w] into the rule will reduce the number of false positives. I cannot imagine additional false negative based on this change, as obfuscation with %, \s, ( and + are not included in \w.

-- StevenHilton - 2013-10-25

I think that might work Steven. And will apply to all of our generic sqli rules.

Let me run it by Will and through QA to see how it fares.

-- MattJonkman - 2013-10-26

Oracle Fin uses this commonly: iSelectDelimiter=%3B&baseToLovKey=/oracle/apps/gl/inquiryWkb/webui/BalanceInqPG.FromPeriodSCPL leading to a FP.

I agree that [^\w] should be added to the rule.

-- PaulPieralde - 2014-02-21

Sorry, I dropped the ball on this change. Talking to Will, he suggested we do \b instead of \w. Going to test that and push if it holds good. Sound right to you all?

-- MattJonkman - 2014-02-21


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; sid:2006445; rev:10;)

Added 2011-09-14 22:34:16 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2006445; rev:10;)

Added 2011-02-04 17:25:22 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2006445; rev:9;)

Added 2010-04-14 12:15:58 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2006445; rev:9;)

Added 2010-04-14 12:15:58 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; uricontent:"SELECT "; nocase; uricontent:" FROM "; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2006445; rev:8;)

Added 2009-10-06 14:19:04 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; uricontent:"SELECT "; nocase; uricontent:" FROM "; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2006445; rev:8;)

Added 2009-10-06 14:19:04 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; uricontent:"SELECT "; nocase; uricontent:" FROM "; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List; sid:2006445; rev:6;)

Added 2009-02-16 21:46:09 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; uricontent:"SELECT "; nocase; uricontent:" FROM "; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; sid:2006445; rev:5;)

Added 2008-06-06 20:49:03 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB Possible SQL Injection Attempt -- SELECT FROM"; flow:established,to_server; uricontent:"SELECT "; nocase; uricontent:" FROM "; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; sid:2006445; rev:4;)

Added 2008-01-31 18:48:11 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Possible SQL Injection Attempt -- SELECT FROM"; flow:established,to_server; uricontent:"SELECT "; nocase; uricontent:" FROM "; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; sid:2006445; rev:3;)

Added 2007-08-29 09:46:56 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Possible SQL Injection Attempt -- SELECT FROM"; flow:established,to_server; uricontent:"SELECT"; nocase; uricontent:" FROM "; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; sid:2006445; rev:2;)

Added 2007-08-14 13:46:20 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Possible SQL Injection Attempt -- SELECT FROM"; flow:established,to_server; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; sid:2006445; rev:1;)

Added 2007-07-30 02:35:14 UTC


Topic revision: r7 - 2014-02-21 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats