TCPdump & Snort - Intrusion Detection Systems
TCPdump & Snort - Intrusion Detection Systems
TCPdump & Snort - Intrusion Detection Systems
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Examples II<br />
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ⤦<br />
(msg:"SQL Injection Attempt"; flow:established,to_server; ⤦<br />
uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; ⤦<br />
uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; ⤦<br />
classtype:web-application-attack; reference:cve,CVE-2007-2803; ⤦<br />
sid:20996; rev:5;)<br />
Checks for access to web servers querying for an ASP page<br />
containing a SQL statement with ‘DELETE’<br />
(simple rules like ‘flow’ first, complex like ‘pcre’ last)<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 33