[Emerging-Sigs] FP Reduction on SQL Injection Sigs
jake.warren at masergy.com
Tue Sep 23 15:13:20 EDT 2014
Hi ET & Community,
Within my environment, SQL injection signatures make up a significant
amount of all false positives I get. Inspired by your recent revision to
2006445 I examined a few other SQL injection signatures and made some
modifications to the pcres and wanted to share my results. Although I had a
relatively small sample size of true positives for some of the rules, I
didn't have any false negatives and the tweaks resulted in a reduction of
false positives. Below are the SIDs and pcres I'm using. I'm sure some of
the regex wizards on this list can come up with something even better.
2010963 pcre:"/SELECT[\/* +].+USER/Ui";
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs