#https://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks
alert tcp any any -> any $HTTP_PORTS (msg:"SQL Injection - Paranoid";flow:to_server,established;pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:909900;rev:5;)
#alert tcp any any -> any $HTTP_PORTS (msg:"Modified regex for detection of SQL meta-characters";flow:to_server,established;pcre:"/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(\;))/i"; classtype:Web-application-attack; sid:910000;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for typical SQL Injection attack";flow:to_server,established;pcre:"/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix"; classtype:Web-application-attack; sid:910001;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for detecting SQL Injection with the UNION keyword";flow:to_server,established;pcre:"/((\%27)|(\'))union/ix"; classtype:Web-application-attack; sid:910002;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for detecting SQL Injection attacks on a MS SQL Server";flow:to_server,established;pcre:"/exec(\s|\+)+(s|x)p\w+/ix"; classtype:Web-application-attack; sid:910003;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for simple CSS attack";flow:to_server,established;pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix"; classtype:Web-application-attack; sid:910004;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for img src CSS attack";flow:to_server,established;pcre:"/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I"; classtype:Web-application-attack; sid:910005;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Paranoid regex for CSS attacks";flow:to_server,established;pcre:"/((\%3C)|<)[^\n]+((\%3E)|>)/I"; classtype:Web-application-attack; sid:910006;rev:5;)
It works perfectly! Thank you very much!
ReplyDelete