Hey there! Today, We’re taking a deep dive into how to use Snort to detect SQL injection attack. But before we jump in, make sure you’ve checked out our previous articles on Snort installation (whether manual or via apt repository) and its rule configuration to set it up as an Intrusion Detection System (IDS) for your network.
In this tutorial, we’ll leverage Snort to capture network traffic and analyze SQL injection attempts on web pages, aiming to obtain information from the database system of any web server. Snort will act as our watchdog, generating alerts for malicious traffic detected on the network. Network administrators can then swiftly respond to suspicious activity and take necessary actions against attacking IPs.
Requirements:
- IDS: Snort (Ubuntu)
- Web application: Dhakkan
You can set up your own web server by referring to our article “Configure Web Server for Penetration Testing.”
Let’s dive in!
Detect SQL Injection Attack by Snort IDS: Step by Step Guide
Step 1. Identifying Error-Based SQL Injection
In error-based SQL injections, attackers use single quotes (”) or double quotes (“”) to manipulate SQL queries and identify vulnerabilities. Let’s be proactive and set up a rule in Snort to analyze error-based SQL injections on our server.
Open the Snort local rule file in a text editor by running the following command in Ubuntu’s terminal:
sudo gedit /etc/snort/rules/local.rules
Add the following lines to capture incoming traffic on any network IP via port 80:
alert tcp any any -> any 80 (msg: "Error Based SQL Injection Detected"; content: "%27" ; sid:100000011; )
alert tcp any any -> any 80 (msg: "Error Based SQL Injection Detected"; content: "%22" ; sid:100000012; )
In the above rules, we’re filtering for the content “%27” and “%22,” which are URL-encoded formats for single quotes (”) and double quotes (“”) used by browsers during URL execution.
Turn on IDS mode of Snort by executing the following command in the terminal:
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
Now, let’s test our rule by attempting an error-based SQL injection attack on the “Dhakkan” web application. Open the server IP in a web browser and add a single quote (‘) to identify SQL injection vulnerability:
192.168.1.20/sqli/Less-1/?id=1'
For more details on error-based SQL injection, refer to our previous article.
When an attacker executes malicious quotes in the browser to test error-based SQL injection, the IDS should capture this content and generate an alert.
Based on our observations, Snort has indeed generated an alert for error-based SQL injection upon capturing malicious quotes. This alert enables the network admin to take action against the attacking IP.
Step 2. Testing Double Quotes Injection
Similarly, let’s test double quotes (“) injection by opening the server IP in a web browser and adding double quotes (“”):
192.168.1.20/sqli/Less-4/?id=1"
Just as before, Snort should capture this content and generate an alert.
Upon testing double quotes injection, Snort indeed generates an alert, allowing the network admin to take necessary action.
Step 3. Boolean-Based SQL Injection
In boolean-based SQL injections, attackers use AND/OR operators to confirm database vulnerabilities. Let’s set up a rule in Snort to analyze boolean-based SQL injections.
Add the following rules to capture AND and OR operators:
alert tcp any any -> any 80 (msg: "AND SQL Injection Detected"; content: "and" ; nocase; sid:100000060; )
alert tcp any any -> any 80 (msg: "OR SQL Injection Detected"; content: "or" ; nocase; sid:100000061; )
Turn on IDS mode of Snort and test boolean-based SQL injection using AND and OR operators.
Snort should capture these operators and generate alerts accordingly.
Step 4. Encoded AND/OR
You can also capture encoded AND/OR operators using the following rules:
alert tcp any any -> any 80 (msg: "AND SQL Injection Detected"; content: "%26%26" ; sid:100000008; )
alert tcp any any -> any 80 (msg: "OR SQL Injection Detected"; content: "%7C%7C" ; sid:100000009; )
Test encoded AND/OR operators and verify if Snort captures them.
Step 5. Identifying Form-Based SQL Injection
Form-based SQL injection, also known as “Post Error-based SQL injection,” involves executing malicious quotes within a web page’s login form to exploit vulnerabilities.
Add the following rule to Snort to analyze form-based SQL injections:
alert tcp any any -> any 80 (msg: "Form Based SQL Injection Detected"; content: "%27" ; sid:1000003; )
Test form-based SQL injection and ensure that Snort captures the malicious content.
Step 6. Identifying Order by SQL Injection
Order by SQL injection involves using the ORDER BY clause to identify the number of columns in a database.
Add the following rule to Snort to analyze order by SQL injections:
alert tcp any any -> any 80 (msg: "Order by SQL Injection"; content: "order" ; sid:1000005; )
Test order by SQL injection and verify if Snort captures the string “order by” in the URL.
Step 7. Identifying Union-Based SQL Injection
In union-based SQL injections, attackers use the UNION operator to combine results from multiple SELECT statements.
Add the following rule to Snort to analyze union-based SQL injections:
alert tcp any any -> any 80 (msg: "UNION SELECT SQL Injection"; content: "union" ; sid:1000006; )
Test union-based SQL injection and ensure that Snort captures the union select query.
Summary
With these rules in place, Snort can effectively detect and alert network administrators about various SQL injection attacks, enabling them to take prompt action against malicious activities.
Remember, staying vigilant against SQL injection attacks is crucial for safeguarding your network and data integrity.