policy/protocols/http/detect-sqli.bro

HTTP

SQL injection attack detection in HTTP.

Namespace:HTTP
Imports:base/frameworks/notice, base/frameworks/sumstats, base/protocols/http
Source File:/scripts/policy/protocols/http/detect-sqli.bro

Summary

Options

HTTP::collect_SQLi_samples: count &redef Collecting samples will add extra data to notice emails by collecting some sample SQL injection url paths.
HTTP::match_sql_injection_uri: pattern &redef Regular expression is used to match URI based SQL injections.
HTTP::sqli_requests_interval: interval &redef Interval at which to watch for the HTTP::sqli_requests_threshold variable to be crossed.
HTTP::sqli_requests_threshold: double &redef Defines the threshold that determines if an SQL injection attack is ongoing based on the number of requests that appear to be SQL injection attacks.

Redefinitions

HTTP::Tags: enum  
Notice::Type: enum  

Detailed Interface

Options

HTTP::collect_SQLi_samples
Type:count
Attributes:&redef
Default:5

Collecting samples will add extra data to notice emails by collecting some sample SQL injection url paths. Disable sample collection by setting this value to 0.

HTTP::match_sql_injection_uri
Type:pattern
Attributes:&redef
Default:
/(((((^?([\?&][^[:blank:]\x00-\x37\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+)$?)|(^?([\?&][^[:blank:]\x00-\x37\|]+?=[\-0-9%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS]))$?))|(^?([\?&][^[:blank:]\x00-\x37]+?=[\-0-9%]*([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x37]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT]))$?))|(^?([\?&][^[:blank:]\x00-\x37\|]+?=([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,})$?))|(^?([\?&][^[:blank:]\x00-\x37]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\()$?))|(^?(\/\*![[:digit:]]{5}.*?\*\/)$?)/

Regular expression is used to match URI based SQL injections.

HTTP::sqli_requests_interval
Type:interval
Attributes:&redef
Default:5.0 mins

Interval at which to watch for the HTTP::sqli_requests_threshold variable to be crossed. At the end of each interval the counter is reset.

HTTP::sqli_requests_threshold
Type:double
Attributes:&redef
Default:50.0

Defines the threshold that determines if an SQL injection attack is ongoing based on the number of requests that appear to be SQL injection attacks.

Copyright 2016, The Bro Project. Last updated on December 12, 2017. Created using Sphinx 1.5.2.