EmergingThreats> Main Web>2013068 (2016-04-22, TravisGreen) EditAttach

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Possible GRANT TO SQL Injection Attempt"; flow:established,to_server; content:"GRANT"; nocase; http_uri; content:"TO"; nocase; http_uri; pcre:"/GRANT.{1,5}TO/Ui"; reference:url,beginner-sql-tutorial.com/sql-grant-revoke-privileges-roles.htm; classtype:web-application-attack; sid:2013068; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_20, updated_at 2016_07_01;)

Added 2017-08-07 21:06:18 UTC

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Possible GRANT TO SQL Injection Attempt"; flow:established,to_server; content:"GRANT"; nocase; http_uri; content:"TO"; nocase; http_uri; pcre:"/GRANT.{1,5}TO/Ui"; reference:url,beginner-sql-tutorial.com/sql-grant-revoke-privileges-roles.htm; classtype:web-application-attack; sid:2013068; rev:4;)

Added 2016-04-25 18:11:18 UTC

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible GRANT TO SQL Injection Attempt"; flow:established,to_server; content:"GRANT"; nocase; http_uri; content:"TO"; nocase; http_uri; pcre:"/GRANT.{1,5}TO/Ui"; reference:url,beginner-sql-tutorial.com/sql-grant-revoke-privileges-roles.htm; classtype:web-application-attack; sid:2013068; rev:2;)

Added 2011-10-12 19:35:57 UTC

A lot of false positives for this rule. It gets triggered even when the GET requests are like: /wp-json/oembed/1.0/embed?url=http%3A%2F%2Flibrary.aaa.bb%2Fblog%2F2010%2F04%2Flibrary-receives-nhprc-grant-to-digitize-messersmith-papers%2F&format=xml /blog/2012/04/library-receives-nhprc-grant-to-digitize-xxxsss-papers/ /features/dare/2014-seagrant-monitoring.jpg

-- FatemaWala - 2016-04-22

FatemaWala, we've reviewed this sig at your suggestion and have decided to remove it. It will be gone in the next update cycle. Thanks!

-- TravisGreen - 2016-04-22

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible GRANT TO SQL Injection Attempt"; flow:established,to_server; content:"GRANT"; nocase; http_uri; content:"TO"; nocase; http_uri; pcre:"/GRANT.{1,5}TO/Ui"; classtype:web-application-attack; reference:url,beginner-sql-tutorial.com/sql-grant-revoke-privileges-roles.htm; sid:2013068; rev:2;)

Added 2011-07-13 15:18:50 UTC

Added 2011-06-21 18:09:30 UTC

Added 2011-06-21 18:07:52 UTC

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2016-04-22 - TravisGreen
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats