Block An automated SQLI

joel_k · January 8, 2021, 4:59am

AM still new to suricata. got an alert from my splunk . (Note: this is for learning purpose)
10.157.31.87 - - [02/Jan/2021:17:30:50 +0000] "GET /images.php?id=bXlzcWwgLS11c2VyPXJvb3QgLS1wYXNzd29yZD1yb290Cg== HTTP/1.1" 200 31 "-" "curl/7.58.0"

i tried this rule its not working am stuck any help will appreciate it.

drop http 10.63.120.219 any -> any any (msg:"sql bruteforce"; priority: 1; uricontent:"GET /images.php?"; sid:10000001; rev: 1;)

syoc · January 11, 2021, 3:32pm

Have a look at 6.12. HTTP Keywords — Suricata 6.0.1 documentation
The GET part of the request should not be in the content match. I would also advise against using uricontent as it’s an old keyword.

An alternative would be drop http 10.63.120.219 any -> any any (msg:"sql bruteforce"; priority: 1; http.method; content:"GET"; http.uri; content:"/images.php?"; sid:10000001; rev: 1;)

Topic		Replies	Views
I want to block specific word for any website, please tell me anyone how is it possible, i'm new in information security Help ips , community , rules , suricata	1	186	October 23, 2023
Unknown rule keyword 'flow.pkts_toclient' Help rules	2	134	February 6, 2024
File extraction based on http/smtp/smb keywords	10	425	May 11, 2023
Get URL from HTTP packet Help rules , suricata	2	783	January 11, 2023
Editing Suricata rule to exclude specific string Help rules	3	390	October 25, 2023

Block An automated SQLI

Related Topics