Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1772
Views
0
Helpful
1
Replies

"SQL Query in HTTP Request" (5474:0)

r.stahlbrand
Level 1
Level 1

‎07-24-2008 05:47 AM - edited ‎03-10-2019 04:12 AM

Hi,

The IDS signature "SQL Query in HTTP Request" (5474:0) does not recognize all malicious SQL selects. Currently, the reg exp looks like [%]20|[=]|[+])[Ss][Ee][Ll][Ee][Cc][Tt]([%]20|[+])[^\r\n\x00-\x19\x7F-\xFF]+([%]20|[+])[Ff][Rr][Oo][Mm]([%]20|[+] . We noticed that subselects does not trigger the signature. For example, "...(select%20something%20from%20somethingmore%20where%20variable%20=%20(select%20....." which could be malicious. Is there any possibility to include "(" in the regexp to detect subselects?

Regards,

/Ola

Labels:
0 Helpful
1 Reply 1

mhellman
Level 7
Level 7

‎07-24-2008 08:02 AM

hmmm...That should actually match just fine. Let's break it down:

([%]20|[=]|[+]) <--"%20","=",or "+"

[Ss][Ee][Ll][Ee][Cc][Tt] <-- "SELECT"

([%]20|[+]) <--"%20" or "+"

[^\r\n\x00-\x19\x7F-\xFF]+ <-- NOT one or more ascii control or extended chars

([%]20|[+]) <-- "%20" or "+"

[Ff][Rr][Oo][Mm] <-- "FROM"

([%]20|[+]) <-- "%20" or "+"

The only reason I can think that it wouldn't match is if there some funky characters between the first SELECT and the first FROM (i.e. carriage return/line feed, etc). Also remember that a %20 or = or + must precede the SELECT and that a %20 or + must follow the FROM.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card