Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

"SQL Query in HTTP Request" (5474:0)

Hi,

The IDS signature "SQL Query in HTTP Request" (5474:0) does not recognize all malicious SQL selects. Currently, the reg exp looks like [%]20|[=]|[+])[Ss][Ee][Ll][Ee][Cc][Tt]([%]20|[+])[^\r\n\x00-\x19\x7F-\xFF]+([%]20|[+])[Ff][Rr][Oo][Mm]([%]20|[+] . We noticed that subselects does not trigger the signature. For example, "...(select%20something%20from%20somethingmore%20where%20variable%20=%20(select%20....." which could be malicious. Is there any possibility to include "(" in the regexp to detect subselects?

Regards,

/Ola

1 REPLY
Gold

Re: "SQL Query in HTTP Request" (5474:0)

hmmm...That should actually match just fine. Let's break it down:

([%]20|[=]|[+]) <--"%20","=",or "+"

[Ss][Ee][Ll][Ee][Cc][Tt] <-- "SELECT"

([%]20|[+]) <--"%20" or "+"

[^\r\n\x00-\x19\x7F-\xFF]+ <-- NOT one or more ascii control or extended chars

([%]20|[+]) <-- "%20" or "+"

[Ff][Rr][Oo][Mm] <-- "FROM"

([%]20|[+]) <-- "%20" or "+"

The only reason I can think that it wouldn't match is if there some funky characters between the first SELECT and the first FROM (i.e. carriage return/line feed, etc). Also remember that a %20 or = or + must precede the SELECT and that a %20 or + must follow the FROM.

1553
Views
0
Helpful
1
Replies
CreatePlease to create content