Write a set of SNORT rules to defend against SQL Injection

1. Document Overview
This document describes in detail the design process and theoretical basis of the SQL Injection rule set, and analyzes the detection principle and correction process of each rule.
2. Rule deployment requirements
Applicable to the detection engine that includes SNORT 2.3 and later versions.

3. Detailed Rule Design
3.1. Check the use of select + union + select
SELECT + union is used to snoop other tables in the database and use SQL statements of existing scripts. The attack principle is: first, use ambiguous SQL (or 1 <> 1) to safely avoid the original SQL statements in the script, and then use UNION + SQLECT to construct the second SQL statement. The difficulty of constructing a table is to guess the number and type of fields to be viewed. When the Number and type are consistent, You can implement a brute-force table on the normal page. Because the system Table generally contains very important information, once this attack succeeds, it can be considered that the system security has crashed. Measure the test taker's knowledge about the normal detection conditions. Attackers generally construct a 1% 20% 20 union % 20 select %, 21% 20 from % 20 admin "> http: // 127.0.0.1/rule_manage_system/code/edit_rule.php? Sid = 1430% 20and % 201 <> 1% 20% 20 union % 20 select %, 21% 20 from % 20 admin URL. This attack uses space + union as a feature. Second, select in two SQL statements and from at the end of two SQL statements. What's more? Signs and = signs are also essential features. In the URL, the order should be :? = Union select, which can be considered as an SQL injection attack.

Rule Design:
First, the regular expression is:
/(\ % 3D | =) + (S | s) + (\ % 75) | u | U | (\ % 55) (\ % 6E) | n | N | (\ % 4E) (\ % 69) | I | I | (\ % 49) (\ % 6F) | o | O | (\ % 4F) (\ % 6E) | n | (\ % 4E) (% 20) | (w +) | S | s) + (\ % 73) | s | S | (\ % 53) (\ % 65) | e | E | (\ % 45 )) (\ % 6C) | l | L | (\ % 4C) (\ % 65) | e | E | (\ % 45) (\ % 63) | c | C | (\ % 43) (\ % 74) | t | T | (\ % 54)/ix
Explanation:
W-zero or multiple characters or underscores.
The regular expression first checks whether there is a URL = sign, which is the primary feature of a URL parameter. Second, it checks whether there is a UNION combination of upper-case, lower-case, or hexadecimal code after Sign =. Then, checks UNION1 or multiple other characters. Finally, checks whether the URL after UNION contains a combination of SELECT upper-case, lower-case, or hexadecimal code, it is the most basic feature borrowed by UNION + SELECT.
In the URL, the parameter submission is generally xxx. asp? A = xxx. In order to improve efficiency and accuracy, how does one add detection in rules? The complete modified rules are as follows:
1) alert tcp $ EXTERNAL_NET any-> $ HTTP_SERVERS $ HTTP_PORTS (msg: "SQL Injection Attack feature characters detected"; flow: to_server, established; uricontent :"? "; Pcre:"/(\ % 3D | =) + (S | s) + (\ % 75) | u | U | (\ % 55 )) (\ % 6E) | n | N | (\ % 4E) (\ % 69) | I | I | (\ % 49) (\ % 6F) | o | O | (\ % 4F) (\ % 6E) | n | (\ % 4E) (% 20) | (w +) | S | s) + (\ % 73) | s | S | (\ % 53) (\ % 65) | e | E | (\ % 45 )) (\ % 6C) | l | L | (\ % 4C) (\ % 65) | e | E | (\ % 45) (\ % 63) | c | C | (\ % 43) (\ % 74) | t | T | (\ % 54)/ix "; nocase; sid: 10114; rev: 1 ;)

3.2. Check the usage of select + load_file ()
SELECT + LOAD_FILE is used to snoop and expose important system files using SQL statements of existing scripts. The attack principle is: first, use ambiguous SQL (or 1 <> 1) to safely avoid the original SQL statements in the script, and then use UNION + LOADFILE () to construct the second SQL statement. The difficulty of constructing a table is to guess the number and type of fields to be viewed. When both the number and type are consistent, You can expose important files on the normal page. Once the attack succeeds, the consequences are quite serious. Measure the test taker's knowledge about the normal detection conditions. Attackers generally construct a 1% 20% 20 union % 20 select %, 15, LOAD_FILE ('/home/hek/1.txt'), 17,18, 19,20, 21% 20 from % 20 admin % 23 "> http: // 127.0.0.1/rule_manage_system/code/edit_rule.php? Sid = 1430% 20and % 201 <> 1% 20% 20 union % 20 select %, 15, LOAD_FILE ('/home/hek/1.txt'), 17,18, 19,20, 21% 20 from % 20 admin % 23, investigate the use of this attack, an essential feature, first is UNION, followed by LOAD_FILE () in two SQL statements. What else? Signs and = signs are also essential features. The following types of characters appear in the URL in order, which can be considered as SQL injection attacks. Then, construct a regular expression.

Rule Design:
The regular expression is:
/(\ % 3D | =) + (S | s) + (\ % 75) | u | U | (\ % 55) (\ % 6E) | n | N | (\ % 4E) (\ % 69) | I | I | (\ % 49) (\ % 6F) | o | O | (\ % 4F) (\ % 6E) | n | (\ % 4E) (S | s) + (\ % 6c) | l | L | (\ % 4c) (\ % 6F) | o | O | (\ % 4F) (\ % 61) | a | A | (\ % 41) (\ % 64) | d | D | (\ % 44) (\ % 5F) | (_)) (\ % 66) | f | F | (\ % 46) (\ % 69) | I | I | (\ % 49) (\ % 6c) | l | L | (\ % 4c) (\ % 65) | e | E | (\ % 45) (\ % 28) | ()/ix
Explanation:
W-zero or multiple characters or underscores.
The regular expression first checks whether there is a URL = sign, which is the primary feature of a URL parameter. Second, it checks whether there is a UNION combination of upper-case, lower-case, or hexadecimal code after Sign =. Then, checks UNION1 or multiple other characters. Finally, checks whether the URL after UNION contains a combination of uppercase, lowercase, or hexadecimal code of LOAD_FILE (). This keyword is used to detect a combination, is the most basic feature borrowed by any UNION + LOAD_FILE.
In the URL, the parameter submission is generally xxx. asp? A = xxx. In order to improve efficiency and accuracy, how does one add detection in rules? The complete modified rules are as follows:
2) alert tcp $ EXTERNAL_NET any-> $ HTTP_SERVERS $ HTTP_PORTS (msg: "SQL Injection Attack feature characters detected"; flow: to_server, established; uricontent :"? "; Pcre:"/(\ % 3D | =) + (S | s) + (\ % 75) | u | U | (\ % 55 )) (\ % 6E) | n | N | (\ % 4E) (\ % 69) | I | I | (\ % 49) (\ % 6F) | o | O | (\ % 4F) (\ % 6E) | n | (\ % 4E) (S | s) + (\ % 6c) | l | L | (\ % 4c) (\ % 6F) | o | O | (\ % 4F) (\ % 61) | a | A | (\ % 41) (\ % 64) | d | D | (\ % 44) (\ % 5F) | (_)) (\ % 66) | f | F | (\ % 46) (\ % 69) | I | I | (\ % 49) (\ % 6c) | l | L | (\ % 4c) (\ % 65) | e | E | (\ % 45) (\ % 28) | () /ix "; nocase; sid: 10115; rev: 1 ;)

3.3. lode date infile exploitation Detection
Syntax:
Load data [LOW_PRIORITY] [LOCAL] INFILE 'file_name.txt '[REPLACE | IGNORE]
Into table tbl_name
The load data infile statement reads a table from a text file at a high speed.
This statement cannot be directly entered in a browser, so it is not very useful and will not be detected in this rule set.

3.4. Detection of brute force password cracking
The main principle of this kind of exploitation is to use the character class function to compare the set character with the field value in the system table one by one. If the comparison is successful, the page will display normally, therefore, it is determined that the solution is successful, and so on until all values are guessed. Different combinations can be used to guess the length or value of a field. According to different database systems, such functions include min (), length (), ASCII (), char (), str (), ASC (), substr (), unicode (), asc (), chr (), nchar (), substring (), abc (), abs (). Attack method example: http: // localhost/site/display. php? Id = 451% 20and % 201 = (select % 20 min (id) % 20 from % 20 alphaauthor % 20 where % 20 ascii (mid (username,) = 97)
Test this typical attack. First, the URL contains? And =. Second, it contains one of these functions. Finally,
Under normal circumstances, the function will contain a = sign, which is not required after a single test. The main points of detection should be abstracted: 1) detection = and ?; 2) detection feature functions. To reduce false positives, we can check the left brackets of the function;
Rule Design:
The regular expression is:
/(\ % 3D | =) + (S | s) + (\ % 6D) | m | M | (\ % 4D) (\ % 69) | I | I | (\ % 49) (\ % 6E) | n | N | (\ % 4E) (\ % 28) | ()/ix
Other such pushes finally obtain all Regular Expressions:

Min ():/(\ % 3D | =) + (S | s) + (\ % 6D) | m | M | (\ % 4D )) (\ % 69) | I | I | (\ % 49) (\ % 6E) | n | N | (\ % 4E) (\ % 28) | ()/ix

Length ():/(\ % 3D | =) + (S | s) + (\ % 6C) | l | L | (\ % 4C )) (\ % 65) | e | E | (\ % 45) (\ % 6E) | n | N | (\ % 4E) (\ % 67) | g | G | (\ % 57) (\ % 74) | t | T | (\ % 54) (\ % 68) | h | H | (\ % 48) (\ % 28) | ()/ix

ASCII ():/(\ % 3D | =) + (S | s) + (\ % 6C) | l | L | (\ % 4C )) (\ % 65) | e | E | (\ % 45) (\ % 6E) | n | N | (\ % 4E) (\ % 67) | g | G | (\ % 57) (\ % 74) | t | T | (\ % 54) (\ % 68) | h | H | (\ % 48) (\ % 28) | ()/ix

Char ():/(\ % 3D | =) + (S | s) + (\ % 63) | c | C | (\ % 43 )) (\ % 68) | h | H | (\ % 48) (\ % 61) | a | A | (\ % 41) (\ % 72) | r | R | (\ % 52) (\ % 28) | ()/ix