Regex help for SQL update statement

Unanswered Question
Oct 2nd, 2007
User Badges:

Hello,


need help from IPS regex guru - trying to build the signature to detect SQL update statement in HTTP requests.


1) Am I correct with regex below specified as Request-Regex?


[Uu][Pp][Dd][Aa][Tt][Ee]([%]20|[+])[\x20-\x7e]+[Ss][Ee][Tt]([%]20|[+])[\x20-\x7e]+=


2) How do I make sure that it detects 'Update' in URI and Arguments only and not in the body on entire webserver response (currently looks like the case)?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Thu, 10/04/2007 - 13:22
User Badges:
  • Blue, 1500 points or more

1) It looks correct to me

2) Typically, the "service HTTP" engine is used to inspect requests and the "TCP string" engine is used to inspect HTTP server responses. If you only want to inspect requests, use the service HTTP engine.

Actions

This Discussion