How to Detect SQL Injection Attack Using Snort IDS in 2024

How to Detect SQL Injection Attack

Hey there! Today, We’re taking a deep dive into how to use Snort to detect SQL injection attack. But before we jump in, make sure you’ve checked out our previous articles on Snort installation (whether manual or via apt repository) and its rule configuration to set it up as an Intrusion Detection System (IDS) for your network.

In this tutorial, we’ll leverage Snort to capture network traffic and analyze SQL injection attempts on web pages, aiming to obtain information from the database system of any web server. Snort will act as our watchdog, generating alerts for malicious traffic detected on the network. Network administrators can then swiftly respond to suspicious activity and take necessary actions against attacking IPs.

Requirements:

  • IDS: Snort (Ubuntu)
  • Web application: Dhakkan

You can set up your own web server by referring to our article “Configure Web Server for Penetration Testing.”

Let’s dive in!

Detect SQL Injection Attack by Snort IDS: Step by Step Guide

Step 1. Identifying Error-Based SQL Injection

In error-based SQL injections, attackers use single quotes (”) or double quotes (“”) to manipulate SQL queries and identify vulnerabilities. Let’s be proactive and set up a rule in Snort to analyze error-based SQL injections on our server.

Open the Snort local rule file in a text editor by running the following command in Ubuntu’s terminal:

Add the following lines to capture incoming traffic on any network IP via port 80:

In the above rules, we’re filtering for the content “%27” and “%22,” which are URL-encoded formats for single quotes (”) and double quotes (“”) used by browsers during URL execution.

Turn on IDS mode of Snort by executing the following command in the terminal:

Now, let’s test our rule by attempting an error-based SQL injection attack on the “Dhakkan” web application. Open the server IP in a web browser and add a single quote (‘) to identify SQL injection vulnerability:

For more details on error-based SQL injection, refer to our previous article.

When an attacker executes malicious quotes in the browser to test error-based SQL injection, the IDS should capture this content and generate an alert.

Based on our observations, Snort has indeed generated an alert for error-based SQL injection upon capturing malicious quotes. This alert enables the network admin to take action against the attacking IP.

Step 2. Testing Double Quotes Injection

Similarly, let’s test double quotes (“) injection by opening the server IP in a web browser and adding double quotes (“”):

Just as before, Snort should capture this content and generate an alert.

Upon testing double quotes injection, Snort indeed generates an alert, allowing the network admin to take necessary action.

Step 3. Boolean-Based SQL Injection

In boolean-based SQL injections, attackers use AND/OR operators to confirm database vulnerabilities. Let’s set up a rule in Snort to analyze boolean-based SQL injections.

Add the following rules to capture AND and OR operators:

Turn on IDS mode of Snort and test boolean-based SQL injection using AND and OR operators.

Snort should capture these operators and generate alerts accordingly.

Step 4. Encoded AND/OR

You can also capture encoded AND/OR operators using the following rules:

Test encoded AND/OR operators and verify if Snort captures them.

Step 5. Identifying Form-Based SQL Injection

Form-based SQL injection, also known as “Post Error-based SQL injection,” involves executing malicious quotes within a web page’s login form to exploit vulnerabilities.

Add the following rule to Snort to analyze form-based SQL injections:

Test form-based SQL injection and ensure that Snort captures the malicious content.

Step 6. Identifying Order by SQL Injection

Order by SQL injection involves using the ORDER BY clause to identify the number of columns in a database.

Add the following rule to Snort to analyze order by SQL injections:

Test order by SQL injection and verify if Snort captures the string “order by” in the URL.

Step 7. Identifying Union-Based SQL Injection

In union-based SQL injections, attackers use the UNION operator to combine results from multiple SELECT statements.

Add the following rule to Snort to analyze union-based SQL injections:

Test union-based SQL injection and ensure that Snort captures the union select query.

Summary

With these rules in place, Snort can effectively detect and alert network administrators about various SQL injection attacks, enabling them to take prompt action against malicious activities.

Remember, staying vigilant against SQL injection attacks is crucial for safeguarding your network and data integrity.