iT邦幫忙

2024 iThome 鐵人賽

DAY 28
0
Security

資安日誌分析系列 第 28

28. SQL Injection偵測(Snort)

  • 分享至 

  • xImage
  •  

說明

主機遭受SQL Injection時,因為攻擊方要探查環境資訊,通常會有大量異常請求,這章來看一下用IDS/IPS從網路封包能看到什麼,產生什麼日誌

作法

建立OpenSource的Snort,與DVWA同一台主機,建立Snort的container
https://hub.docker.com/r/linton/docker-snort

docker run -it --rm --net=host linton/docker-snort /bin/bash
  1. 先觀察有沒有錄到封包,執行後再到攻擊機下sqlmap
snort -vd
  1. 確認有收到
    https://ithelp.ithome.com.tw/upload/images/20241012/20077752T075pUVVg6.png

  2. 添加規則(這是實驗,一般)
    %27 URL_Decode是'
    %22 URL_Decode是"

alert tcp any any -> any 80 (msg: "Error Based SQL Injection Detected"; content: "%27" ; sid:100000011; )
alert tcp any any -> any 80 (msg: "Error Based SQL Injection Detected"; content: "%22" ; sid:100000012; )

PS. 實務上為了避免誤判會寫較長的比對

# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Demarc SQL injection attempt"; flow:to_server,established; content:"/dm/demarc"; http_uri; content:"s_key="; content:"'"; distance:0; content:"'"; distance:1; content:"'"; distance:0; metadata:ruleset community, service http; reference:bugtraq,4520; reference:cve,2002-0539; classtype:web-application-activity; sid:2063; rev:13;)
  1. 執行snort
snort -A console -c /etc/snort/etc/snort.conf -l /etc/snort
  1. 下sqlmap後偵測異常並告警
    https://ithelp.ithome.com.tw/upload/images/20241012/2007775297AXC7oD0r.png

查看完整記錄/etc/snort/snort.log
https://ithelp.ithome.com.tw/upload/images/20241012/20077752iXFLpM9I8p.png

REF

SQLMap 實戰(可怕的 SQL Injection漏洞)
https://atic-tw.blogspot.com/2014/04/sqlmap-sql-injection.html

Detect SQL Injection Attack using Snort IDS
https://www.hackingarticles.in/detect-sql-injection-attack-using-snort-ids/


上一篇
27. SQL Injection分析 (sqlmap)
下一篇
29. SQL Injection 規避偵測(Coraza)
系列文
資安日誌分析30
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言