alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Suspicious User-Agent Containing SQL Inject/ion, Likely SQL Injection Scanner"; flow:established,to_server; content:"|0d 0a|User|2D|Agent|3A|"; content:"SQL"; nocase; within:200; content:"Inject"; nocase; distance:0; pcre:"/User-Agent\x3A[^\n].+sql.+(inject|injection)/i"; classtype:attempted-recon; reference:url,www.owasp.org/index.php/SQL_Injection; sid:2010083; rev:1;)

Added 2009-10-12 22:45:39 UTC


Topic revision: r1 - 2009-10-13 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats