[Emerging-Sigs] FP Reduction on SQL Injection Sigs

Darien Huss dhuss at emergingthreats.net
Wed Sep 24 08:33:33 EDT 2014

Thanks Jake, we'll take a look at this today!


On Tue, Sep 23, 2014 at 3:13 PM, Jake Warren <jake.warren at masergy.com>

> Hi ET & Community,
> Within my environment, SQL injection signatures make up a significant
> amount of all false positives I get. Inspired by your recent revision to
> 2006445 I examined a few other SQL injection signatures and made some
> modifications to the pcres and wanted to share my results. Although I had a
> relatively small sample size of true positives for some of the rules, I
> didn't have any false negatives and the tweaks resulted in a reduction of
> false positives. Below are the SIDs and pcres I'm using. I'm sure some of
> the regex wizards on this list can come up with something even better.
> 2006447 pcre:"/[&\?].*UPDATE[^a-z]+SET\x20*[A-Za-z0-9]*\x20*\x3d/Ui";
> 2006443 pcre:"/DELETE\b.*FROM/Ui";
> 2010963 pcre:"/SELECT[\/* +].+USER/Ui";
> 2006444 pcre:"/INSERT[^\w]+INTO/Ui";
> -Jake Warren
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140924/6c05ea9c/attachment.html>

More information about the Emerging-sigs mailing list