說明

主機遭受SQL Injection時，因為攻擊方要探查環境資訊，通常會有大量異常請求，這章來看一下用IDS/IPS從網路封包能看到什麼，產生什麼日誌

作法

建立OpenSource的Snort，與DVWA同一台主機，建立Snort的container
https://hub.docker.com/r/linton/docker-snort

docker run -it --rm --net=host linton/docker-snort /bin/bash

1. 先觀察有沒有錄到封包，執行後再到攻擊機下sqlmap

snort -vd

2. 確認有收到
   

3. 添加規則(這是實驗，一般)
   %27 URL_Decode是'
   %22 URL_Decode是"

alert tcp any any -> any 80 (msg: "Error Based SQL Injection Detected"; content: "%27" ; sid:100000011; )
alert tcp any any -> any 80 (msg: "Error Based SQL Injection Detected"; content: "%22" ; sid:100000012; )

PS. 實務上為了避免誤判會寫較長的比對

# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Demarc SQL injection attempt"; flow:to_server,established; content:"/dm/demarc"; http_uri; content:"s_key="; content:"'"; distance:0; content:"'"; distance:1; content:"'"; distance:0; metadata:ruleset community, service http; reference:bugtraq,4520; reference:cve,2002-0539; classtype:web-application-activity; sid:2063; rev:13;)

4. 執行snort

snort -A console -c /etc/snort/etc/snort.conf -l /etc/snort

5. 下sqlmap後偵測異常並告警
   

查看完整記錄/etc/snort/snort.log

REF

SQLMap 實戰(可怕的 SQL Injection漏洞)
https://atic-tw.blogspot.com/2014/04/sqlmap-sql-injection.html

Detect SQL Injection Attack using Snort IDS
https://www.hackingarticles.in/detect-sql-injection-attack-using-snort-ids/