SNORT windows ban SQL Injection attempts

Hello I'm reading  in this topic:

https://forum.pfsense.org/index.php?topic=52148.msg278719#msg278719

   But the question is that alerts auto ban the SQL attempts or how can be banned the SQL Injection attemps after that rules of sonort found?
   I ask because someone entered and added some users in our SQL server via injection attacks in windows 2008.
Thank you
coerraceAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Dave HoweSoftware and Hardware EngineerCommented:
Normally, you use snort in its "inline" mode (although note that the devs for that have moved to Suricata) and respond by either dropping the injection attempt or using a ban period on the offending IP (or both) - bear in mind though that would require having a snort enabled linux box at the point you wish to prevent traffic.  There *is* a method to run snort on windows, but because of the limitations of the platform, the best that can be done is to send resets to the requesting host, not deny the traffic (see here)

The point at which you attempt this is also important - pre-webserver may require https intercept, as may webserver-to-sql (plus of course writing rules for non-ascii protocols like TDS)

you might want to look at prewritten solutions such as GreenWall :)
0
 
coerraceAuthor Commented:
How I know if i have installed the flexresp2 and know is working properly because if you see the link I gave you had 3 rulerts with "alerts" and I note come with "resp:rst_all" in other words sound are ready to do that alerts the work woth snort no?
   But the most important is how can I know if Ihave installed flexresp2 and check because I lookd a lot in google and I can't find any about Windows.
Thank you
These are the rules:
# ------------
# LOCAL RULES

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NT2-SQL Injection-Varchar"; flow:to_server,established;uricontent: "?";http_uri;content:"varchar";nocase; resp: rst_all; classtype:web-application-attack; sid:9990001; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NT2-SQL Injection-Declare"; flow:to_server,established;uricontent: "?";http_uri;content:"declare";nocase; resp: rst_all; classtype:web-application-attack; sid:9990002; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NT2-SQL Injection-Exec"; flow:to_server,established;uricontent: "?";http_uri;content:"exec"; nocase; resp: rst_all; classtype:web-application-attack; sid:9990003; rev:1;)

Open in new window

0
 
Dave HoweSoftware and Hardware EngineerCommented:
those rules look for three specific words - Declare, Varchar and Exec - in HTTP uri - hence, will catch only very very crude sql injections.

lets take the first one in detail.

alert - this rule generates an alert

tcp - on tcp traffic

$EXTERNAL_NET any - $EXTERNAL_NET is a variable, somewhere prior to this you need to have "ipvar $EXTERNAL_NET [<network>]" where normally <network> uses the ! (not) operator and a network you want to allow to bypass the rule (if any)
So this rule works on packets from external addresses, any port

$HTTP_SERVERS $HTTP_PORTS - two more variables, you must define those with the IPs and ports you plan to protect.

(msg:"xxx"; - send the alert with the message given

flow:to_server,established; - for connections TO the server already established

uricontent: "?"; - for connections that have a question mark in the url

http_uri; restricts content searches to http uri

content: "varchar";nocase; - looks for the word varchar, case insensitive

resp: rst_all; - sends a reset (RST) packet back to the requesting app. *most* web injection programs will then drop the tcp link (not all)

classtype:web-application-attack; sid:9990001; rev:1;) - adds additional information to the alert.


From this, it would seem that you can test by sending a request to any webpage on your server, with "?varchar" on the end of the url
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Rich RumbleSecurity SamuraiCommented:
Your Snort install is on Linux correct? If not there is no way to send a FIN/RST packet using snort on windows. Using linux it is possible to send a FIN/RST packet to any host, you must enable Active-Response first however:
http://manual.snort.org/node26.html
Flexresp1&2 were deprecated long ago, only Flexresp3 is supported still.
http://blog.snort.org/2010/11/active-response-with-snort-290.html
-rich
0
 
coerraceAuthor Commented:
richrumbble: But in this link http://doczine.com/bigdata/1/1367055089_a74e98341c/snort.pdf
   Talk about installation on windows like a firewall we don't have linux is for that the thing reading that document the question.
Thank you
0
 
Rich RumbleSecurity SamuraiCommented:
Hmm this is news to me, I thought Flexresp* was linux only, let me compile a new Snort and see if I can make these rules work. I know Suricata has a "active response" like library that works on windows, I just thought flexresp itself was linux, I apologize if it works. Let me check this out.
-rich
0
 
coerraceAuthor Commented:
ok f you find we´ll appreciate we only want to know how to enable flexresp on windows in other places I heard is actually inside the packet but really we don´t know.
Thank you
0
 
Rich RumbleSecurity SamuraiCommented:
Took a minute to get my Snort.conf right, but these rules worked!
alert tcp 192.168.1.2 any -> any 80 ( content:"www.google.com"; msg: "NOT ALLOWED"; sid:1000008; rev:1; priority:1; resp: reset_source; )
alert tcp any any -> any any ( content:"www.ammonnews.net"; msg:"not allowed access to ammonnew.net please call moath"; priority:1; sid:10000088; rev:3; resp: reset_source;)
alert ip any any -> any any ( content:"www.yahoo.com"; msg:"not allowed access to yahoo.com please call MOATH KBJ"; priority:1;sid:10000089; rev:4; resp: reset_both;)

Open in new window

I called these rules c:\snort\rules\resp.rules

I stand corrected, windows can use Flexresp! I've attached my Snort.conf, it assumes that your paths are typical, meaning c:\snort\...
Rules can be downloaded from ET or Snort (if you login)

To find your snort interface, if you have more than one, open cmd, cd to snort\bin and then run "snort.exe -W -c c:\snort\etc\snort.conf" capital double-u is needed for it to work. Then use settings like those I have in the attached file for your snort.conf, and run snort as follows:
c:\snort\bin\snort.exe -c c:\snort\etc\snort.conf -i 2
-i=2 is if your interface is 2, if it's 1 then use 1.
-rich
Snort.conf.txt
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
Rich RumbleSecurity SamuraiCommented:
Just a quick note, httpS seems to get missed with the rules I made, well partiially missed, if you reload the pages a few times they will be reset. I won't have time to dig into it further, I know that snort does have some exceptions in the config file so it's possible you could get these rules to react faster if those weren't there. Something else I noticed is that "resp: reset_both;" is the better option to use when you want to prevent access, it's better at tearing down the session. Again Snort has to spoof that packet and send it out on the wire, and it has to beat your other packets, so some information is going to get through, but very very little.
-rich
0
 
coerraceAuthor Commented:
Ok one last thing.
   In the configuration just to know you moved something to update the resp similar to flexresp or youninstalled any library?
Thank you
0
 
Rich RumbleSecurity SamuraiCommented:
No library, just DL'd the Snort-setup.exe from the site directly (and the RULES files), and changed the config some, added the rules with the "resp" action and that was that.
-rich
0
 
coerraceAuthor Commented:
Thank you for all excellent help.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
@rich:
  Its unsurprising that https gets missed - you are doing outbound rules there, and to decrypt the https would need an intercepting proxy and some TLS decryption abilities that snort lacks (if SNI were more common you might be able to filter on hostname, but still not on content).

  If you use snort_inline, you can drop the packets without having to resort to the race condition of rst_both (but of course, that doesn't work on windows) :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.