[Emerging-Sigs] FP Reduction on SQL Injection Sigs

Jake Warren jake.warren at masergy.com
Tue Sep 23 15:13:20 EDT 2014

Hi ET & Community,

Within my environment, SQL injection signatures make up a significant
amount of all false positives I get. Inspired by your recent revision to
2006445 I examined a few other SQL injection signatures and made some
modifications to the pcres and wanted to share my results. Although I had a
relatively small sample size of true positives for some of the rules, I
didn't have any false negatives and the tweaks resulted in a reduction of
false positives. Below are the SIDs and pcres I'm using. I'm sure some of
the regex wizards on this list can come up with something even better.

2006447 pcre:"/[&\?].*UPDATE[^a-z]+SET\x20*[A-Za-z0-9]*\x20*\x3d/Ui";
2006443 pcre:"/DELETE\b.*FROM/Ui";
2010963 pcre:"/SELECT[\/* +].+USER/Ui";
2006444 pcre:"/INSERT[^\w]+INTO/Ui";

-Jake Warren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140923/bfca7a9d/attachment.html>

More information about the Emerging-sigs mailing list