RSA Admin

Regex format in SQL_Injection watchlist?

Discussion created by RSA Admin Employee on Feb 29, 2012

I'm trying to use CRL-00211 on our Apache logs with the SQL_Injection watchlist provided in the latest watchlist_sample.zip.  The alert won't fire and I'm wondering about the format of the watchlist entries. The Help says enVision uses POSIX regex.

 

.*%27\+*OR\+*[0-9]+\+*%3D\+*[0-9]+.*
.*UNION\+*SELECT.*
.*GROUP\+*BY.*HAVING.*
.*(SELECT|INSERT\+*INTO|UPDATE|CREATE|DELETE|DROP|EXEC|HAVING|ALTER|TRUNCATE).*

 

Isn't the use of the "\" going to turn the one-or-more operator "+" into a literal character?  It seems like the "\+*" should be ".+" for all uses.

 

It also seems superfluous to ".*" on either side of the expression. If nothing else this might impact performance.

 

Has anyone created a better list of regex?  I realize enVision isn't the best place to be detecting SQL injection, but it's a start.

Outcomes