I am running snort and a few days ago I added following rules to local.rules(just found on internet):
alert tcp any any -> any 80 (msg: "Error Based SQL Injection Detected"; content: "%27" ; sid:100000011; )
alert tcp any any -> any 80 (msg: "Error Based SQL Injection Detected"; content: "22" ; sid:100000012; ) #Boolean Based SQL Injection alert tcp any any -> any 80 (msg: "AND SQL Injection Detected"; content: "and" ; nocase; sid:100000060; ) alert tcp any any -> any 80 (msg: "OR SQL Injection Detected"; content: "or" ; nocase; sid:100000061; ) # Encoded AND/OR alert tcp any any -> any 80 (msg: "AND SQL Injection Detected"; content: "and" ; nocase; sid:100000008; ) alert tcp any any -> any 80 (msg: "OR SQL Injection Detected"; content: "or" ; nocase; sid:100000009; ) # Identify Form Based SQL Injection alert tcp any any -> any 80 (msg: "Form Based SQL Injection Detected"; content: "%27" ; sid:1000003; ) # Identify Order by SQL Injection alert tcp any any -> any 80 (msg: "Order by SQL Injection"; content: "order" ; sid:1000005; ) # Identify Union Based SQL Injection alert tcp any any -> any 80 (msg: "UNION SELECT SQL Injection"; content: "union" ; sid:1000006; )
Now for last few days, intermittently, I am getting alerts like below:
09/16-06:56:07.702959 [**] [1:100000061:0] OR SQL Injection Detected [**] [Priority: 0] {TCP} XX.XXX.XXX.XX:41036 -> XX.XXX.XXX.XX:80
09/16-06:56:07.702959 [**] [1:100000009:0] OR SQL Injection Detected [**] [Priority: 0] {TCP} XX.XXX.XXX.XX:41036 -> XX.XXX.XXX.XX:80
09/16-06:56:07.702959 100.120.56.190:41036 -> 34.107.221.82:80
TCP TTL:64 TOS:0x0 ID:36967 IpLen:20 DgmLen:353 DF
***AP*** Seq: 0xCCC4772 Ack: 0x94D2196F Win: 0x1F6 TcpLen: 32
TCP Options (3) => NOP NOP TS: 3751144199 2103252965
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
I don't know I am not a coder and I have no idea if above rules really giving some real alert or not. Kindly Help.