detect-sql-injection.zeek

HTTP

SQL injection attack detection in HTTP.

The script annotates the notices it generates with an associated $uid connection identifier; always provides an attacker IP address in the $src field; and always provides a victim IP address in the $dst field.

Namespace:: HTTP
Imports:: base/frameworks/notice, base/frameworks/sumstats, base/protocols/http

Summary

Redefinable Options

`HTTP::match_sql_injection_uri`: `pattern` `&redef`	Regular expression is used to match URI based SQL injections.
`HTTP::sqli_requests_interval`: `interval` `&redef`	Interval at which to watch for the `HTTP::sqli_requests_threshold` variable to be crossed.
`HTTP::sqli_requests_threshold`: `double` `&redef`	Defines the threshold that determines if an SQL injection attack is ongoing based on the number of requests that appear to be SQL injection attacks.

Redefinitions

`HTTP::Tags`: `enum`	`HTTP::URI_SQLI`: Indicator of a URI based SQL injection attack.
`Notice::Type`: `enum`	`HTTP::SQL_Injection_Attacker`: Indicates that a host performing SQL injection attacks was detected. `HTTP::SQL_Injection_Victim`: Indicates that a host was seen to have SQL injection attacks against it.
`SumStats::Observation`: `record`	New Fields: `SumStats::Observation` uid: `string` `&optional`

Hooks

HTTP::sqli_policy: hook

A hook that can be used to prevent specific requests from being counted as an injection attempt.

Detailed Interface

Redefinable Options

HTTP::match_sql_injection_uri 

Type:

pattern

Attributes:

&redef

Default:

/^?((^?((^?((^?((^?(((?i:^?([\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+.*?(having|union|exec|select|delete|drop|declare|create|insert)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+)$?))|((?i:^?([\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-0-9%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+(x?or|n?and)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+'?(([^a-zA-Z&]+)?=|exists))$?)))$?)|((?i:^?([\?&][^[:blank:]\x00-\x1f\+]+?=[\-0-9%]*([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*([0-9]|\(?convert|cast))$?)))$?)|((?i:^?([\?&][^[:blank:]\x00-\x1f\|\+]+?=([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|;)*(x?or|n?and|having|union|exec|select|delete|drop|declare|create|regexp|insert)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,})$?)))$?)|((?i:^?([\?&][^[:blank:]\x00-\x1f\+]+?=[^\.]*?(char|ascii|substring|truncate|version|length)\()$?)))$?)|(^?(\/\*![[:digit:]]{5}.*?\*\/)$?))$?/

Regular expression is used to match URI based SQL injections.

HTTP::sqli_requests_interval 

Type:: interval
Attributes:: &redef
Default:: 5.0 mins

Interval at which to watch for the HTTP::sqli_requests_threshold variable to be crossed. At the end of each interval the counter is reset.

HTTP::sqli_requests_threshold 

Type:: double
Attributes:: &redef
Default:: 50.0

Defines the threshold that determines if an SQL injection attack is ongoing based on the number of requests that appear to be SQL injection attacks.

Hooks

HTTP::sqli_policy 

Type:: hook (c: connection, method: string, unescaped_URI: string) : bool

A hook that can be used to prevent specific requests from being counted as an injection attempt. Use a ‘break’ statement to exit the hook early and ignore the request.