Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Overzealous HTTP SQL injection detection? #352
I am seeing a lot of HTTP SQL injection notices generated in detect-sqli.zeek, which are clearly not actual SQL injection attempts.
The endpoint has the form
I am guessing the regex is actually looking for requests along the lines of
But in my case,
Is the above analysis correct?
In that case, maybe the regex can be rewritten such that the instances of
@emillynge thanks for pointing out the false positive. Generally, you may find it useful to implement your own
Seems like an odd range overall: stopping at
@sethhall do you remember anything about where these patterns come from?
Doing some archaeology, that weird range wasn't always there:
Seems to appear here first:
Those patterns came from my work at OSU and there have unfortunately always been false positives. There is a test suite for those patterns too that would be good to fill out more... https://github.com/zeek/zeek/blob/a994be9eebd80cd7fbeaa62f2eba1a045b269b3f/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek You can see in that test file that there are already some URLs that I couldn't get it to work with correctly.…
On 6 May 2019, at 15:01, Jon Siwek wrote: @emillynge thanks for pointing out the false positive. Generally, you may find it useful to implement your own `HTTP::sqli_policy` hook to whitelist miss-detected URIs, but yes this is a case where it looks like the `\x00-\x37` range may be unintentionally capturing the `&` character. More suspicious since it is also capturing it within the same regex group that looks like it's trying to match a `;` character. Seems like an odd range overall: stopping at `\x37` which is '7', so I don't understand what it's trying to accomplish. @sethhall do you remember anything about where these patterns come from? Doing some archaeology, that weird range wasn't always there: https://github.com/zeek/zeek/blob/68171cf179e05e35fe9b73fdf4157e0d71ffd5e9/policy/protocols/http/base/detect-sqli.bro#L30-L35 Seems to appear here first: https://github.com/zeek/zeek/blob/597a4d6704b3d22004c160c52541aeaf44001a93/scripts/policy/protocols/http/detect-sqli.bro#L27-L33 -- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #352 (comment)