[Emerging-Sigs] 2 web_server sigs

Kevin Ross kevross33 at googlemail.com
Tue Oct 6 09:46:30 EDT 2009


perhaps a select content match in front of it? I am not sure.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER
Possible SQL Injection INTO OUTFILE Arbitrary File Write Attempt";
flow:established,to_server; uricontent:"SELECT"; nocase; uricontent:"INTO";
nocase; uricontent:"OUTFILE"; nocase; pcre:"/INTO.+OUTFILE/Ui";
classtype:web-application-attack; reference:url,www.milw0rm.com/papers/372;
reference:url,
www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection;
reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/;
sid:180000002; rev:1;)

2009/10/6 Matt Jonkman <jonkman at jonkmans.com>

> The second one's been added, but I'm not sure on the first. That can
> occur in a lot of very normal ways....
>
> Anyone else have a thought there?
>
> Matt
>
> Kevin Ross wrote:
> > Not sure about the noise or relevance of the first idea but the second
> > should be fine in detecting SQL Injection using into outfile. Kev
> >
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> > WEB_SERVER .conf in URI, Possible Configuration File Access Attempt";
> > flow:established,to_server; uricontent:".conf"; nocase;
> > classtype:web-application-attack; sid:180000001; rev:1;)
> >
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> > WEB_SERVER Possible SQL Injection INTO OUTFILE Arbitrary File Write
> > Attempt"; flow:established,to_server; uricontent:"INTO"; nocase;
> > uricontent:"OUTFILE"; nocase; pcre:"/INTO.+OUTFILE/Ui";
> > classtype:web-application-attack;
> > reference:url,www.milw0rm.com/papers/372
> > <http://www.milw0rm.com/papers/372>;
> > reference:url,
> www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection
> > <
> http://www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection
> >;
> > reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/
> > <http://websec.wordpress.com/2007/11/17/mysql-into-outfile/>;
> > sid:180000002; rev:1;)
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091006/a1137716/attachment.html


More information about the Emerging-sigs mailing list