Open R4164 opened 4 years ago
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:create\s+(?:procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-|;\s*?(?:declare|open)\s+[\w-]+|procedure\s+analyse\s*?\(|declare[^\w]+[@#]\s*?\w+|exec\s*?\(\s*?\@))" \ "id:942320,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects MySQL and PostgreSQL stored procedure/function injections',\ tag:'application-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'OWASP_TOP_10/A1',\ ver:'OWASP_CRS/3.2.0',\ severity:'CRITICAL'"
alert http $HOME_NET any -> $EXTERNAL_NET any ( \ 'Detects MySQL and PostgreSQL stored procedure/function injections'; \ flow:established, \ content:(?i:(?:create\s+(?:procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-|;\s*?(?:declare|open)\s+[\w-]+|procedure\s+analyse\s*?\(|declare[^\w]+[@#]\s*?\w+|exec\s*?\(\s*?\@))"; pcre; http_raw_header; \ metadata: application-multi; reference:url,https://doxygen.openinfosecfoundation.org; classtype:owasp-crs; sid:942320; rev:4; metadata:created_at 2019_12_3, updated_at 2019_12_4;)