snort2-docker/docker/etc/rules/sql.rules
2020-02-24 08:56:30 -05:00

119 lines
39 KiB
Plaintext

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-----------
# SQL RULES
#-----------
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; metadata:ruleset community; classtype:attempted-user; sid:676; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:677; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:678; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; metadata:ruleset community; classtype:attempted-user; sid:679; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:681; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:673; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:683; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:684; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:685; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:687; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,3733; reference:cve,2001-0542; reference:nessus,11217; classtype:attempted-user; sid:1387; rev:13;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"SQL xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:1759; rev:10;)
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flow:to_client,established; content:"Login failed for user 'sa'"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL Worm propagation attempt"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; fast_pattern:only; content:"sock"; content:"send"; metadata:ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:15;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"SQL Worm propagation attempt OUTBOUND"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; fast_pattern:only; content:"sock"; content:"send"; metadata:ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL ping attempt"; flow:to_server; content:"|02|"; depth:1; metadata:ruleset community; reference:nessus,10674; classtype:misc-activity; sid:2049; rev:8;)
# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute force failed login unicode attempt"; flow:to_client,established,no_stream; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; detection_filter:track by_src, count 5, seconds 2; metadata:ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; reference:url,attack.mitre.org/techniques/T1110; classtype:unsuccessful-user; sid:3273; rev:10;)
# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute force failed login attempt"; flow:to_client,established,no_stream; content:"Login failed for user 'sa'"; fast_pattern:only; detection_filter:track by_src, count 5, seconds 2; metadata:ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; reference:url,attack.mitre.org/techniques/T1110; classtype:unsuccessful-user; sid:3152; rev:11;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL SA brute force login attempt"; flow:to_server,established,no_stream; content:"|02|"; depth:1; content:"sa"; depth:2; offset:39; nocase; detection_filter:track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:3542; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL SA brute force login attempt TDS v7/8"; flow:to_server,established,no_stream; content:"|10|"; depth:1; content:"|00 00|"; depth:2; offset:34; content:"|00 00 00 00|"; depth:4; offset:64; pcre:"/^.{12}(\x00|\x01)\x00\x00(\x70|\x71)/smi"; byte_jump:2,48,little,from_beginning; content:"s|00|a|00|"; within:4; distance:8; nocase; detection_filter:track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:3543; rev:8;)
# alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"SQL sa brute force failed login unicode attempt"; flow:to_client,established,no_stream; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; detection_filter:track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; reference:url,attack.mitre.org/techniques/T1110; classtype:unsuccessful-user; sid:4984; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL formatmessage possible buffer overflow"; flow:to_server,established; content:"f|00|o|00|r|00|m|00|a|00|t|00|m|00|e|00|s|00|s|00|a|00|g|00|e|00|"; reference:bugtraq,1204; reference:bugtraq,3733; reference:cve,2001-0542; classtype:attempted-admin; sid:8494; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL formatmessage possible buffer overflow"; flow:to_server,established; content:"f|00|o|00|r|00|m|00|a|00|t|00|m|00|e|00|s|00|s|00|a|00|g|00|e|00|"; reference:bugtraq,1204; reference:bugtraq,3733; reference:cve,2001-0542; classtype:attempted-admin; sid:8495; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SQL Firebird SQL Fbserver buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 01|"; depth:4; byte_jump:4,12,big,relative; byte_test:2,>,10,1,big,relative; reference:cve,2007-3181; classtype:attempted-user; sid:12009; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL ftp attempt"; flow:to_server,established; content:"ftp.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1057; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1058; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1059; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1060; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,5309; classtype:web-application-attack; sid:1061; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_regread attempt"; flow:to_server,established; content:"xp_regread"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1069; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_regenumvalues attempt"; flow:to_server,established; content:"xp_regenumvalues"; fast_pattern:only; metadata:service http; classtype:web-application-activity; sid:13994; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_servicecontrol attempt"; flow:to_server,established; content:"xp_servicecontrol"; fast_pattern:only; metadata:service http; classtype:web-application-activity; sid:13996; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_regdeletevalue attempt"; flow:to_server,established; content:"xp_regdeletevalue"; fast_pattern:only; metadata:service http; classtype:web-application-activity; sid:13992; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_regremovemultistring attempt"; flow:to_server,established; content:"xp_regremovemultistring"; fast_pattern:only; metadata:service http; classtype:web-application-activity; sid:13995; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_loginconfig attempt"; flow:to_server,established; content:"xp_loginconfig"; fast_pattern:only; metadata:service http; classtype:web-application-activity; sid:13997; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_regaddmultistring attempt"; flow:to_server,established; content:"xp_regaddmultistring"; fast_pattern:only; metadata:service http; classtype:web-application-activity; sid:13991; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_terminate_process attempt"; flow:to_server,established; content:"xp_terminate_process"; fast_pattern:only; metadata:service http; classtype:web-application-activity; sid:13998; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_regenumkeys attempt"; flow:to_server,established; content:"xp_regenumkeys"; fast_pattern:only; metadata:service http; classtype:web-application-activity; sid:13993; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL char and sysobjects - possible sql injection recon attempt"; flow:to_server,established; content:"CHAR|28|"; nocase; http_uri; content:"CHAR|28|"; distance:0; nocase; http_uri; content:"CHAR|28|"; distance:0; nocase; http_uri; content:"[sysobjects]"; distance:0; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:15584; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL Suspicious SQL ansi_padding option"; flow:to_server,established; content:"ansi_padding"; pcre:"/set\s+ansi_padding\s+off/smi"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2008-0106; reference:url,msdn.microsoft.com/en-us/library/ms187403.aspx; classtype:policy-violation; sid:16074; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql with comments injection attempt - GET parameter"; flow:to_server,established; content:"/*"; http_uri; content:"*/"; http_uri; pcre:"/(update|exec|insert|union)[^\/\\]*\/\*.*\*\//Uis"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:16431; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"SQL Jive Software Openfire Jabber Server SQL injection attempt"; flow:to_server, established; content:"sipark-log-summary.j"; nocase; http_uri; pcre:"/sipark-log-summary\.jsp\?(username|numa(a|b)|type)[^\s]*\s/Umi"; metadata:policy security-ips drop, service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-user; sid:16513; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL union select - possible sql injection attempt - POST parameter"; flow:to_server,established; content:"union"; fast_pattern:only; http_client_body; content:"select"; nocase; http_client_body; pcre:"/union(%20|\+)+(all(%20|\+)+)?select(%20|\+)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190; classtype:misc-attack; sid:15874; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL counter.exe access"; flow:to_server,established; content:"/counter.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,267; reference:cve,1999-1030; classtype:web-application-activity; sid:1078; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql update injection attempt - POST parameter"; flow:to_server,established; content:"update+"; fast_pattern:only; http_client_body; content:"set"; nocase; http_client_body; pcre:"/update\+[^&\n+]+?(%20|\+)set(%20|\+)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; classtype:web-application-attack; sid:15876; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql exec injection attempt - GET parameter"; flow:to_server,established; content:"exec"; fast_pattern:only; http_uri; pcre:"/exec\s+master/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:13512; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql insert injection attempt - POST parameter"; flow:to_server,established; content:"insert "; fast_pattern:only; http_client_body; pcre:"/insert\s+into\s+[^\/\\]+/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:15875; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql update injection attempt - GET parameter"; flow:to_server,established; content:"update"; fast_pattern:only; http_uri; pcre:"/update\s+[^\/\\]+set\s+[^\/\\]+/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:13514; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL queryhit.htm access"; flow:to_server,established; content:"/samples/search/queryhit.htm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10370; classtype:web-application-activity; sid:1077; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql exec injection attempt - POST parameter"; flow:to_server,established; content:"exec "; fast_pattern; nocase; http_client_body; content:"master"; nocase; http_client_body; pcre:"/exec\s+master/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:15877; rev:10;)
alert tcp any any -> $SQL_SERVERS 1433 (msg:"SQL WinCC DB default password security bypass attempt"; flow:to_server,established; content:"WinCCConnect"; content:"2WSXcder"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2010-2772; reference:url,attack.mitre.org/techniques/T1078; reference:url,support.automation.siemens.com/WW/view/en/43876783; classtype:attempted-user; sid:17044; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL 1 = 0 - possible sql injection attempt"; flow:to_server,established; content:"1=0"; fast_pattern:only; http_uri; pcre:"/(and|or)[\s\x2F\x2A]+1=0/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:19440; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; content:"1=1"; fast_pattern:only; http_uri; pcre:"/(and|or)[\s\x2f\x2A]+1=1/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:19439; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL PHPSESSID SQL injection attempt"; flow:to_server,established; content:"PHPSESSID="; nocase; content:"|22|"; distance:0; nocase; pcre:"/PHPSESSID=[^\r\n\x26\x3B]*?\x22[^\x22\x3B]/Ci"; metadata:service http; classtype:web-application-attack; sid:20046; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; content:"|27|1|27|=|27|1"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1190; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:20047; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL PHPSESSID SQL injection attempt"; flow:to_server,established; content:"PHPSESSID="; nocase; content:"|27|"; distance:0; nocase; pcre:"/PHPSESSID=[^\r\n\x26\x3B]*?\x27[^\x27]/Ci"; metadata:service http; classtype:web-application-attack; sid:20045; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL parameter ending in encoded comment characters - possible sql injection attempt - POST"; flow:to_server,established; content:"%2D%2D"; fast_pattern:only; http_client_body; pcre:"/(%53%45%4C%45%43%54|%55%50%44%41%54%45|%49%4E%53%45%52%54|%73%65%6C%65%63%74|%75%70%64%61%74%65|%69%6E%73%65%72%74)(%20)+[^\r\n\x26]+%2D%2D/Pi"; metadata:service http; reference:url,attack.mitre.org/techniques/T1190; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:21779; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL waitfor delay function in POST - possible SQL injection attempt"; flow:to_server,established; content:"waitfor"; nocase; http_client_body; content:"delay"; distance:0; nocase; http_client_body; pcre:"/waitfor%20+delay/Pi"; metadata:service http; reference:url,www.owasp.org/index.php/Blind_SQL_Injection; classtype:web-application-attack; sid:21777; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL parameter ending in comment characters - possible sql injection attempt - POST"; flow:to_server,established; content:"--"; fast_pattern:only; http_client_body; pcre:"/(SELECT|UPDATE|INSERT|%53%45%4C%45%43%54|%55%50%44%41%54%45|%49%4E%53%45%52%54)(%20)+[^\r\n\x26]+--(\x26|$)/Pi"; metadata:policy max-detect-ips drop, policy security-ips alert, service http; reference:url,attack.mitre.org/techniques/T1190; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:21778; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL IBM System Storage DS storage manager profiler sql injection attempt"; flow:to_server,established; content:"ModuleServlet?DeviceId=1&state=state_viewmodulelog&selectedModuleOnly=1"; fast_pattern; http_uri; content:"&selectedModule=1"; nocase; http_uri; metadata:policy security-ips drop, service http; reference:bugtraq,54112; reference:cve,2012-2171; reference:url,attack.mitre.org/techniques/T1190; reference:url,www.zeroscience.mk/codes/ibmssdssmp_sqlixss.txt; classtype:web-application-attack; sid:23947; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL use of concat function with select - likely SQL injection"; flow:to_server,established; content:"SELECT "; nocase; http_uri; content:"CONCAT|28|"; within:100; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:24172; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL or kic = kic - known SQL injection routine"; flow:to_server,established; content:"%18%20%4f%52%20%18%6b%69%63%19%20%3d%20%18%6b%69%63"; fast_pattern:only; http_client_body; metadata:service http; classtype:web-application-attack; sid:21789; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL or kic = kic - known SQL injection routine"; flow:to_server,established; content:"%20OR%20|27|kic|27|%20=%20|27|kic"; fast_pattern:only; http_client_body; metadata:service http; classtype:web-application-attack; sid:21788; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql update injection attempt - POST parameter"; flow:to_server,established; content:"update%20"; fast_pattern:only; http_client_body; content:"set"; nocase; http_client_body; pcre:"/update%20[^&\n+]+?(%20|\+)set(%20|\+)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; classtype:web-application-attack; sid:26829; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic convert injection attempt - GET parameter"; flow:to_server,established; content:"convert|28|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:26925; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; content:"|27|1|27|=|27|1"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:27288; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; content:"1=1"; fast_pattern:only; http_client_body; pcre:"/or[\s\x2f\x2A]+1=1/Pi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:27287; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SQL McAfee ePolicy Orchestrator timing based SQL injection attempt"; flow:to_server,established; content:"/EPOAGENTMETA"; nocase; http_uri; content:"/DisplayMSAPropsDetail.do?"; within:30; nocase; http_uri; content:"uid="; within:4; nocase; http_uri; pcre:"/uid=\s?\D{1,3}/Ui"; metadata:policy security-ips drop, service http, service ssl; reference:bugtraq,59500; reference:cve,2013-0140; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:27724; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SQL McAfee ePolicy Orchestrator timing based SQL injection attempt"; flow:to_server,established; content:"/core"; nocase; http_uri; content:"/showRegisteredTypeDetails.do?"; within:34; nocase; http_uri; content:"uid="; within:4; nocase; http_uri; pcre:"/uid=\s?\D{1,3}/Ui"; metadata:service http, service ssl; reference:bugtraq,59500; reference:cve,2013-0140; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:27723; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; content:"%271%27%3D%271"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:30041; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; content:"1%3D1"; fast_pattern:only; http_client_body; pcre:"/or\++1%3D1/Pi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:30040; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Drupal 7 pre auth SQL injection attempt"; flow:to_server,established; content:"insert"; nocase; http_client_body; content:"into"; within:10; nocase; http_client_body; content:"form_id=user_login_block"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-3704; reference:url,www.drupal.org/SA-CORE-2014-005; classtype:web-application-attack; sid:32353; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL PK-CMS SQL injection attempt"; flow:to_server,established; content:"/default.asp?"; fast_pattern; nocase; http_uri; content:"pagina="; distance:0; http_uri; pcre:"/pagina=[^&]*\x27/Ui"; metadata:service http; reference:url,github.com/BuddhaLabs/PacketStorm-Exploits/blob/master/1309-exploits/pkcms-sql.txt; classtype:web-application-attack; sid:32768; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL Lblog possible sql injection attempt - GET parameter"; flow:to_server,established; content:"/blog/comments.asp?id="; fast_pattern:only; http_uri; content:"union"; nocase; http_uri; content:"select"; nocase; http_uri; pcre:"/union\s+(all\s+)?select\s+/Ui"; metadata:policy security-ips drop, service http; reference:cve,2006-4284; reference:url,attack.mitre.org/techniques/T1190; classtype:misc-attack; sid:34295; rev:2;)
alert tcp $SQL_SERVERS [1315,2315] -> $EXTERNAL_NET any (msg:"SQL IBM SolidDB initial banner"; flow:to_client,established; content:"IBM solidDB"; fast_pattern:only; flowbits:set,soliddb; flowbits:noalert; classtype:misc-activity; sid:23393; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL Ruby on rails SQL injection attempt"; flow:established,to_server; content:"]]="; fast_pattern:only; http_uri; pcre:"/\?\w.*?\[\w.*?\[\w.*?\]\]=/smiU"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-2695; classtype:web-application-attack; sid:23213; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL url ending in comment characters - possible sql injection attempt"; flow:to_server,established; content:"--"; fast_pattern:only; http_uri; pcre:"/(SELECT|UPDATE|INSERT)\x20+[^\r\n\x26]+--$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-2998; reference:url,attack.mitre.org/techniques/T1190; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:19438; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL declare varchar - possible SQL injection attempt"; flow:to_server,established; content:"declare"; nocase; http_uri; content:"varchar"; distance:0; nocase; http_uri; pcre:"/declare\s+\@[A-Z\d]+\s+varchar/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; classtype:web-application-attack; sid:19202; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL waitfor delay function - possible SQL injection attempt"; flow:to_server,established; content:"waitfor"; nocase; http_uri; content:"delay"; distance:0; nocase; http_uri; pcre:"/waitfor\s+delay/Ui"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-2998; reference:url,www.owasp.org/index.php/Blind_SQL_Injection; classtype:web-application-attack; sid:19201; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SQL IBM DB2 DATABASE SERVER SQL REPEAT Buffer Overflow"; flow:to_server, established; content:" REPEAT|28|"; nocase; content:","; distance:0; byte_test:10,>,1000,0,relative,string; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service drda; reference:bugtraq,37976; reference:cve,2010-0462; classtype:attempted-admin; sid:17209; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL Suspicious SQL ansi_padding option"; flow:to_server,established; content:"a|00|n|00|s|00|i|00|_|00|p|00|a|00|d|00|d|00|i|00|n|00|g|00|"; pcre:"/s\x00e\x00t\x00(\s\x00)+a\x00n\x00s\x00i\x00_\x00p\x00a\x00d\x00d\x00i\x00n\x00g\x00(\s\x00)+o\x00f\x00f\x00/smi"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2008-0106; reference:url,msdn.microsoft.com/en-us/library/ms187403.aspx; classtype:policy-violation; sid:16075; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SQL Borland InterBase username buffer overflow"; flow:to_server,established; content:"|00 00 00 01|"; depth:4; byte_jump:4,12,relative,align; content:"|02|"; within:1; distance:8; byte_test:1,>,64,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,29302; reference:cve,2008-2559; classtype:attempted-user; sid:15868; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SQL IBM DB2 Universal Database xmlquery buffer overflow attempt"; flow:to_server,established; content:"xmlquery"; fast_pattern:only; content:"select "; nocase; pcre:"/select\s+xmlquery\s*\x28\s*(\x27|\x22)[^\x27\x22]{512}/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service drda, service mysql; reference:bugtraq,29601; reference:cve,2008-3854; classtype:attempted-user; sid:14991; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL union select - possible sql injection attempt - GET parameter"; flow:to_server,established; content:"union"; fast_pattern:only; http_uri; content:"select"; nocase; http_uri; pcre:"/union\s+(all\s+)?select\s+/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,14876; reference:bugtraq,21227; reference:bugtraq,22582; reference:bugtraq,24067; reference:cve,2005-3004; reference:cve,2006-0065; reference:cve,2006-0154; reference:cve,2006-2835; reference:cve,2006-6268; reference:cve,2007-1021; reference:cve,2007-2824; reference:cve,2011-1667; reference:url,attack.mitre.org/techniques/T1190; classtype:misc-attack; sid:13990; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql insert injection attempt - GET parameter"; flow:to_server,established; content:"insert"; fast_pattern:only; http_uri; pcre:"/insert\s+into\s+[^\/\\]+/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-2998; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:13513; rev:19;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 7210 (msg:"SQL SAP MaxDB shell command injection attempt"; flow:to_server,established; content:"exec_sdbinfo"; fast_pattern:only; pcre:"/exec_sdbinfo\s+[\x26\x3b\x7c\x3e\x3c]/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,27206; reference:cve,2008-0244; classtype:attempted-admin; sid:13356; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21064 (msg:"SQL Ingres Database uuid_from_char buffer overflow attempt"; flow:to_server,established; content:"uuid_from_char"; fast_pattern:only; pcre:"/uuid_from_char\s*?\(\s*?[\x22\x27][^\x22\x27]{37}/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,24585; reference:cve,2007-3338; reference:url,supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp; reference:url,www.ngssoftware.com/advisories/high-risk-vulnerability-in-ingres-stack-overflow; classtype:attempted-admin; sid:12027; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL union select - possible percent-delimited SQL injection attempt - GET parameter"; flow:to_server,established; content:"%u%n%i%o%n%"; nocase; http_raw_uri; content:"%s%e%l%e%c%t"; nocase; http_raw_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,21227; reference:cve,2006-2835; reference:cve,2006-6268; reference:cve,2007-1021; reference:cve,2007-2824; reference:cve,2011-1667; reference:url,www.securityfocus.com/archive/1/452259; classtype:misc-attack; sid:35819; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL use of sleep function with select - likely SQL injection"; flow:to_server,established; content:"SELECT "; nocase; http_uri; content:"SLEEP|28|"; within:100; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.owasp.org/index.php/Blind_SQL_Injection; classtype:web-application-attack; sid:37443; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SQL Oracle e-Business Suite JTF_BISUTILITY_PUB SQL injection attempt"; flow:to_server,established; content:"/EBS/jtf_bisutility_pub.lov_values?"; fast_pattern:only; nocase; content:"p_where_clause="; nocase; http_uri; metadata:service http; reference:cve,2016-0515; classtype:web-application-attack; sid:37648; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SQL Oracle e-Business Suite ORACLESSWA SQL injection attempt"; flow:to_server,established; content:"EBSPROD/OracleSSWA.Execute?"; fast_pattern:only; content:"E="; nocase; http_uri; content:"P={!76EF7B870B1E3806"; nocase; http_uri; metadata:service http; reference:cve,2016-0589; classtype:web-application-attack; sid:37643; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"SQL use of sleep function in HTTP header - likely SQL injection attempt"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"sleep("; fast_pattern; nocase; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*sleep\x28/Hi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:web-application-attack; sid:38993; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"SQL PostgreSQL potential remote code execution attempt"; flow:to_server,established; content:"CREATE"; content:"FUNCTION"; within:50; content:"LANGUAGE pl"; within:100; content:"u"; within:10; metadata:service postgresql; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/postgres/postgres_createlang.rb; classtype:misc-activity; sid:40313; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL use of sleep function with and - likely SQL injection"; flow:to_server,established; content:"AND "; nocase; http_uri; content:"SLEEP|28|"; within:100; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.owasp.org/index.php/Blind_SQL_Injection; classtype:web-application-attack; sid:41449; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"SQL Oracle MySQL Pluggable Auth denial of service attempt"; flow:to_server,established; content:"|85 A2 BF 01 00 00 00 01 21|"; depth:9; offset:4; content:"|00|"; distance:23; isdataat:!9,relative; pcre:"/^.{4}\x85\xA2\xBF\x01\x00\x00\x00\x01\x21\x00{23}[^\x00]+\x00(\xFE|\xFF)/i"; metadata:policy max-detect-ips drop, service mysql; reference:cve,2017-3599; classtype:denial-of-service; sid:43671; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1450 (msg:"SQL SysAid potential default credential login attempt"; flow:established, to_server; content:"|10|"; depth:1; content:"|02 00|"; within:2; distance:49; byte_jump:2,-4,relative,little,from_beginning,post_offset 8; content:"s|00|a|00|"; within:4; fast_pattern; byte_test:2,<=,10,54,little; byte_test:2,>=,9,54,little; reference:cve,2015-3001; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:43073; rev:3;)
alert tcp any any -> any $HTTP_PORTS (msg:"SQL HTTP URI blind injection attempt"; flow:to_server,established; content:"sleep("; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:49666; rev:1;)