Hi all,
I create some rules to detect sql injection encode evasion, the Ossec
already detect this attacks but in some cases the responses isnĀ“t so fast.
This rules cover + (plus) encode and all sqlmap tamper techniques.
<group name="attack,sqlinjection,">
<rule id="160001" level="6">
<if_sid>31100</if_sid>
<url>=%27|select%2B|insert%2B|%2Bfrom%2B|%2Bwhere%2B|%2Bunion%2B</url>
<description>SQL injection attempt.</description>
</rule>
<rule id="160002" level="6">
<if_sid>31100</if_sid>
<url>%EF%BC%87|%EF%BC%87|%EF%BC%87|%2531|%u0053%u0045</url>
<description>SQL injection attempt.</description>
</rule>
</group>
New suggestions are welcome. =)
Best,
Alexos
