Ask Your Question
0

OR SQL Injection Detected

asked 2021-09-16 01:56:02 +0000

aks gravatar image

updated 2021-09-16 02:12:34 +0000

I am running snort and a few days ago I added following rules to local.rules(just found on internet):

    alert tcp any any -> any 80 (msg: "Error Based SQL Injection Detected"; content: "%27" ; sid:100000011; ) 
alert tcp any any -> any 80 (msg: "Error Based SQL Injection Detected"; content: "22" ; sid:100000012; )
    #Boolean Based SQL Injection 
alert tcp any any -> any 80 (msg: "AND SQL Injection Detected"; content: "and" ; nocase; sid:100000060; ) 
alert tcp any any -> any 80 (msg: "OR SQL Injection Detected"; content: "or" ; nocase; sid:100000061; )
    # Encoded AND/OR 
alert tcp any any -> any 80 (msg: "AND SQL Injection Detected"; content: "and" ; nocase; sid:100000008; ) 
alert tcp any any -> any 80 (msg: "OR SQL Injection Detected"; content: "or" ; nocase; sid:100000009; )
    # Identify Form Based SQL Injection 
alert tcp any any -> any 80 (msg: "Form Based SQL Injection Detected"; content: "%27" ; sid:1000003; )
    # Identify Order by SQL Injection 
alert tcp any any -> any 80 (msg: "Order by SQL Injection"; content: "order" ; sid:1000005; )
    # Identify Union Based SQL Injection 
alert tcp any any -> any 80 (msg: "UNION SELECT SQL Injection"; content: "union" ; sid:1000006; )

Now for last few days, intermittently, I am getting alerts like below:

09/16-06:56:07.702959  [**] [1:100000061:0] OR SQL Injection Detected [**] [Priority: 0] {TCP} XX.XXX.XXX.XX:41036 -> XX.XXX.XXX.XX:80
09/16-06:56:07.702959  [**] [1:100000009:0] OR SQL Injection Detected [**] [Priority: 0] {TCP} XX.XXX.XXX.XX:41036 -> XX.XXX.XXX.XX:80
09/16-06:56:07.702959 100.120.56.190:41036 -> 34.107.221.82:80
TCP TTL:64 TOS:0x0 ID:36967 IpLen:20 DgmLen:353 DF
***AP*** Seq: 0xCCC4772  Ack: 0x94D2196F  Win: 0x1F6  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3751144199 2103252965 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Whereas in wireshark pcap the same TCP stream is showing as "TCP retransmission". I don't know I am not a coder and I have no idea if above rules really giving some real alert or not. Kindly Help.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-09-18 15:31:25 +0000

Eddi gravatar image

updated 2021-09-18 15:32:34 +0000

Hello aks

First of all, Wireshark is good for network analysis, it's not an IDS. However, Wireshark is super-useful to identify matters that were picked up by an IDS.

That being said, I suggest that you refine your SNORT rules. The current rules trigger on the content "or" and "and" respectively. This would generate a ton of false positive, for example with words like "foreign" or "land". Please don't forget to rewrite all your rules (not just the AND and OR rules).

I suggest, that you take this question to security forum.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-09-16 01:56:02 +0000

Seen: 1,579 times

Last updated: Sep 18 '21