Wednesday, July 12, 2017

A Snort rule file for identifying SQL Injection and XSS

#https://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks

alert tcp any any -> any $HTTP_PORTS (msg:"SQL Injection - Paranoid";flow:to_server,established;pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:909900;rev:5;)


#alert tcp any any -> any $HTTP_PORTS (msg:"Modified regex for detection of SQL meta-characters";flow:to_server,established;pcre:"/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(\;))/i"; classtype:Web-application-attack; sid:910000;rev:5;)


alert tcp any any -> any $HTTP_PORTS (msg:"Regex for typical SQL Injection attack";flow:to_server,established;pcre:"/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix"; classtype:Web-application-attack; sid:910001;rev:5;)


alert tcp any any -> any $HTTP_PORTS (msg:"Regex for detecting SQL Injection with the UNION keyword";flow:to_server,established;pcre:"/((\%27)|(\'))union/ix"; classtype:Web-application-attack; sid:910002;rev:5;)


alert tcp any any -> any $HTTP_PORTS (msg:"Regex for detecting SQL Injection attacks on a MS SQL Server";flow:to_server,established;pcre:"/exec(\s|\+)+(s|x)p\w+/ix"; classtype:Web-application-attack; sid:910003;rev:5;)


alert tcp any any -> any $HTTP_PORTS (msg:"Regex for simple CSS attack";flow:to_server,established;pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix"; classtype:Web-application-attack; sid:910004;rev:5;)


alert tcp any any -> any $HTTP_PORTS (msg:"Regex for img src CSS attack";flow:to_server,established;pcre:"/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I"; classtype:Web-application-attack; sid:910005;rev:5;)


alert tcp any any -> any $HTTP_PORTS (msg:"Paranoid regex for CSS attacks";flow:to_server,established;pcre:"/((\%3C)|<)[^\n]+((\%3E)|>)/I"; classtype:Web-application-attack; sid:910006;rev:5;)

Monday, July 10, 2017

What make security products eligible to be sold? [PART II]

As a cybersecurity product being sold in United States, the two certificates shown herein should be obtained.
- Common Criteria (At least EAL2+)
- The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2)

Sunday, July 9, 2017

Two good sites providing Packet Analysis solutions.

http://www.malware-traffic-analysis.net/
Providing a variety of PCAP files, allowing you to analyze.

https://packettotal.com/

Similar to Virus Total, it offers an interface enabling you to submit any suspicious packet to analyze.