policy/protocols/http/detect-sqli.zeek

HTTP

SQL injection attack detection in HTTP.

Namespace

HTTP

Imports

base/frameworks/notice, base/frameworks/sumstats, base/protocols/http

Summary

Redefinable Options

HTTP::collect_SQLi_samples: count &redef

Collecting samples will add extra data to notice emails by collecting some sample SQL injection url paths.

HTTP::match_sql_injection_uri: pattern &redef

Regular expression is used to match URI based SQL injections.

HTTP::sqli_requests_interval: interval &redef

Interval at which to watch for the HTTP::sqli_requests_threshold variable to be crossed.

HTTP::sqli_requests_threshold: double &redef

Defines the threshold that determines if an SQL injection attack is ongoing based on the number of requests that appear to be SQL injection attacks.

Redefinitions

HTTP::Tags: enum

Notice::Type: enum

Hooks

HTTP::sqli_policy: hook

A hook that can be used to prevent specific requests from being counted as an injection attempt.

Detailed Interface

Redefinable Options

HTTP::collect_SQLi_samples
Type

count

Attributes

&redef

Default

5

Collecting samples will add extra data to notice emails by collecting some sample SQL injection url paths. Disable sample collection by setting this value to 0.

HTTP::match_sql_injection_uri
Type

pattern

Attributes

&redef

Default
/^?((^?((^?((^?((^?((^?([\?&][^[:blank:]\x00-\x1f\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f]|\/\*.*?\*\/)+)$?)|(^?([\?&][^[:blank:]\x00-\x1f\|]+?=[\-0-9%]+([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x1f]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS]))$?))$?)|(^?([\?&][^[:blank:]\x00-\x1f]+?=[\-0-9%]*([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT]))$?))$?)|(^?([\?&][^[:blank:]\x00-\x1f\|]+?=([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,})$?))$?)|(^?([\?&][^[:blank:]\x00-\x1f]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\()$?))$?)|(^?(\/\*![[:digit:]]{5}.*?\*\/)$?))$?/

Regular expression is used to match URI based SQL injections.

HTTP::sqli_requests_interval
Type

interval

Attributes

&redef

Default

5.0 mins

Interval at which to watch for the HTTP::sqli_requests_threshold variable to be crossed. At the end of each interval the counter is reset.

HTTP::sqli_requests_threshold
Type

double

Attributes

&redef

Default

50.0

Defines the threshold that determines if an SQL injection attack is ongoing based on the number of requests that appear to be SQL injection attacks.

Hooks

HTTP::sqli_policy
Type

hook (c: connection, method: string, unescaped_URI: string) : bool

A hook that can be used to prevent specific requests from being counted as an injection attempt. Use a ‘break’ statement to exit the hook early and ignore the request.