Solved

SNORT windows ban SQL Injection attempts

Posted on 2014-03-31
13
894 Views
Last Modified: 2014-04-02
Hello I'm reading  in this topic:

https://forum.pfsense.org/index.php?topic=52148.msg278719#msg278719

   But the question is that alerts auto ban the SQL attempts or how can be banned the SQL Injection attemps after that rules of sonort found?
   I ask because someone entered and added some users in our SQL server via injection attacks in windows 2008.
Thank you
0
Comment
Question by:coerrace
  • 5
  • 5
  • 3
13 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
ID: 39968748
Normally, you use snort in its "inline" mode (although note that the devs for that have moved to Suricata) and respond by either dropping the injection attempt or using a ban period on the offending IP (or both) - bear in mind though that would require having a snort enabled linux box at the point you wish to prevent traffic.  There *is* a method to run snort on windows, but because of the limitations of the platform, the best that can be done is to send resets to the requesting host, not deny the traffic (see here)

The point at which you attempt this is also important - pre-webserver may require https intercept, as may webserver-to-sql (plus of course writing rules for non-ascii protocols like TDS)

you might want to look at prewritten solutions such as GreenWall :)
0
 

Author Comment

by:coerrace
ID: 39969045
How I know if i have installed the flexresp2 and know is working properly because if you see the link I gave you had 3 rulerts with "alerts" and I note come with "resp:rst_all" in other words sound are ready to do that alerts the work woth snort no?
   But the most important is how can I know if Ihave installed flexresp2 and check because I lookd a lot in google and I can't find any about Windows.
Thank you
These are the rules:
# ------------
# LOCAL RULES

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NT2-SQL Injection-Varchar"; flow:to_server,established;uricontent: "?";http_uri;content:"varchar";nocase; resp: rst_all; classtype:web-application-attack; sid:9990001; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NT2-SQL Injection-Declare"; flow:to_server,established;uricontent: "?";http_uri;content:"declare";nocase; resp: rst_all; classtype:web-application-attack; sid:9990002; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NT2-SQL Injection-Exec"; flow:to_server,established;uricontent: "?";http_uri;content:"exec"; nocase; resp: rst_all; classtype:web-application-attack; sid:9990003; rev:1;)

Open in new window

0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39969442
those rules look for three specific words - Declare, Varchar and Exec - in HTTP uri - hence, will catch only very very crude sql injections.

lets take the first one in detail.

alert - this rule generates an alert

tcp - on tcp traffic

$EXTERNAL_NET any - $EXTERNAL_NET is a variable, somewhere prior to this you need to have "ipvar $EXTERNAL_NET [<network>]" where normally <network> uses the ! (not) operator and a network you want to allow to bypass the rule (if any)
So this rule works on packets from external addresses, any port

$HTTP_SERVERS $HTTP_PORTS - two more variables, you must define those with the IPs and ports you plan to protect.

(msg:"xxx"; - send the alert with the message given

flow:to_server,established; - for connections TO the server already established

uricontent: "?"; - for connections that have a question mark in the url

http_uri; restricts content searches to http uri

content: "varchar";nocase; - looks for the word varchar, case insensitive

resp: rst_all; - sends a reset (RST) packet back to the requesting app. *most* web injection programs will then drop the tcp link (not all)

classtype:web-application-attack; sid:9990001; rev:1;) - adds additional information to the alert.


From this, it would seem that you can test by sending a request to any webpage on your server, with "?varchar" on the end of the url
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39969995
Your Snort install is on Linux correct? If not there is no way to send a FIN/RST packet using snort on windows. Using linux it is possible to send a FIN/RST packet to any host, you must enable Active-Response first however:
http://manual.snort.org/node26.html
Flexresp1&2 were deprecated long ago, only Flexresp3 is supported still.
http://blog.snort.org/2010/11/active-response-with-snort-290.html
-rich
0
 

Author Comment

by:coerrace
ID: 39970018
richrumbble: But in this link http://doczine.com/bigdata/1/1367055089_a74e98341c/snort.pdf
   Talk about installation on windows like a firewall we don't have linux is for that the thing reading that document the question.
Thank you
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39970075
Hmm this is news to me, I thought Flexresp* was linux only, let me compile a new Snort and see if I can make these rules work. I know Suricata has a "active response" like library that works on windows, I just thought flexresp itself was linux, I apologize if it works. Let me check this out.
-rich
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:coerrace
ID: 39970093
ok f you find we´ll appreciate we only want to know how to enable flexresp on windows in other places I heard is actually inside the packet but really we don´t know.
Thank you
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 39970567
Took a minute to get my Snort.conf right, but these rules worked!
alert tcp 192.168.1.2 any -> any 80 ( content:"www.google.com"; msg: "NOT ALLOWED"; sid:1000008; rev:1; priority:1; resp: reset_source; )
alert tcp any any -> any any ( content:"www.ammonnews.net"; msg:"not allowed access to ammonnew.net please call moath"; priority:1; sid:10000088; rev:3; resp: reset_source;)
alert ip any any -> any any ( content:"www.yahoo.com"; msg:"not allowed access to yahoo.com please call MOATH KBJ"; priority:1;sid:10000089; rev:4; resp: reset_both;)

Open in new window

I called these rules c:\snort\rules\resp.rules

I stand corrected, windows can use Flexresp! I've attached my Snort.conf, it assumes that your paths are typical, meaning c:\snort\...
Rules can be downloaded from ET or Snort (if you login)

To find your snort interface, if you have more than one, open cmd, cd to snort\bin and then run "snort.exe -W -c c:\snort\etc\snort.conf" capital double-u is needed for it to work. Then use settings like those I have in the attached file for your snort.conf, and run snort as follows:
c:\snort\bin\snort.exe -c c:\snort\etc\snort.conf -i 2
-i=2 is if your interface is 2, if it's 1 then use 1.
-rich
Snort.conf.txt
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39970630
Just a quick note, httpS seems to get missed with the rules I made, well partiially missed, if you reload the pages a few times they will be reset. I won't have time to dig into it further, I know that snort does have some exceptions in the config file so it's possible you could get these rules to react faster if those weren't there. Something else I noticed is that "resp: reset_both;" is the better option to use when you want to prevent access, it's better at tearing down the session. Again Snort has to spoof that packet and send it out on the wire, and it has to beat your other packets, so some information is going to get through, but very very little.
-rich
0
 

Author Comment

by:coerrace
ID: 39970741
Ok one last thing.
   In the configuration just to know you moved something to update the resp similar to flexresp or youninstalled any library?
Thank you
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39970753
No library, just DL'd the Snort-setup.exe from the site directly (and the RULES files), and changed the config some, added the rules with the "resp" action and that was that.
-rich
0
 

Author Closing Comment

by:coerrace
ID: 39970828
Thank you for all excellent help.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39971610
@rich:
  Its unsurprising that https gets missed - you are doing outbound rules there, and to decrypt the https would need an intercepting proxy and some TLS decryption abilities that snort lacks (if SNI were more common you might be able to filter on hostname, but still not on content).

  If you use snort_inline, you can drop the packets without having to resort to the race condition of rst_both (but of course, that doesn't work on windows) :)
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now