ACKNOWLEDGMENT I would like to thank Allah for giving me the patience to work hard and overcome all the research obstacles. My full gratitude is to Dr. Mohammed Al-Jarrah and Dr. Izzat Alsmadi for their supervision, and precious advice. Without their support this work would not have been possible. My deep thanks go to my thesis committee. My thanks are also to my friends for their honest friendship, care, and for being kind to provide help and support. Appreciation is also extended to my family, which has been always by my side, my father, my mother, my brothers and sister: Adel, Hasan, Mohammad, and Hussam who have always been near me. Hussein AlNabulsi May 22, 2013 1
TABLE OF CONTENTS Contents Page AKNOWLEDGEMENT 1 TABLE OF CONTENTS 2 LIST OF FIGURES 6 LIST OF TABLES 9 LIST OF ABBREVIATIONS 10 ABSTRACT 11 CHAPTER 1: Introduction 12 1.1 Problem Statement 13 1.2 Purpose of the Study 14 1.3 Methodology 15 1.4 Contribution 15 1.5 Scope and Limitation 15 1.6 Thesis Structure 16 CHAPTER 2: Background and Literature Review 17 2.1 Introduction 17 2.2 Background 17 2.2.1 SNORT Structure 17 2
2.2.2 SNORT Under Windows 19 2.2.3 Using SNORT for SQL Injection Attacks 20 2.2.4 Examples of SQL Injection Attacks 21 2.2.5 SNORT Rules Description 23 2.2.6 Hackers Web Attacking Mode 25 2.2.7 Drawbacks of Intrusion Detection System (IDS) 27 2.3 Literature Review 28 2.3.1 SQL Injections Attacks 28 2.3.2 SNORT Usage Evaluation 32 2.3.3 SNORT Utilization for Detecting and Preventing SQL Injection Attacks 33 CHAPTER 3: Methodology and Approaches 42 3.1 Methodology 42 3.2 Steps of SQL Injection Attacks 43 3.3 Perl Regular Expressions for SQL Injection 47 3.4 Using SNORT Tool for Detecting SQL Injection Attacks 49 3.5 SNORT Network Topology 50 CHAPTER 4: Experimental Results and Discussion 51 4.1 Methods of Writing SQL Injection 52 3
4.1.1 Poorly Filtered Strings 52 4.1.2 Different Encoding Issues 54 4.1.3 White Space Multiplicity 57 4.1.4 Arbitrary String Patterns 58 4.1.5 Bypass Techniques 59 4.1.6 Grouping Concatenate Supplied Strings 62 4.1.7 Information Gathering Techniques 71 4.1.7.1 @@version 71 4.1.7.2 Server Hostname 73 4.1.7.3 Server MAC Address 75 4.1.7.4 Database Data Directory 76 4.1.8 Experimental Results for discussed SNORT Rules 78 4.2 Proposed Set of SNORT Rules for SQL injection Detection 81 4.2.2 SNORT Rules Case Study 90 4.2.3 Applying the SQL Injection Attacks on 92 Damn Vulnerable Web Application (DVWA) 4.3 A Comparison Study 92 4.3.1 Summary Table for Comparing Study 109 4
4.3.2 Conclusion of the Comparison Study 109 CHAPTER 5: CONCLUSIONS AND FUTURE WORKS 111 5.1 Conclusion 111 5.2 Future Work 112 CHAPTER 6: REFERENCES 114 CHAPTER 7: Appendix 118 5
LIST OF FIGURES Figures Title Page Figure 2.1 SNORT Architecture 19 Figure 2.2 A simple PHP login page with possible injection attack 21 Figure 2.3 An example of an SQL injection attack 22 Figure 3.1 An example of a vulnerable webpage 44 Figure 3.2 SNORT Network Topology 50 Figure 4.1 Retrieving the password of the admin 53 Figure 4.2 Result of SQL injection 55 Figure 4.3 63 Figure 4.4 64 Figure 4.5 64 Figure 4.6 65 Figure 4.7 66 6
Figure 4.8 67 Figure 4.9 68 Figure 4.10 68 Figure 4.11 Retrieving a user name and password 69 Figure 4.12 Retrieving the password of admin 71 Figure 4.13 Retrieve the version of server 72 Figure 4.14 Retrieve the hostname of server 74 Figure 4.15 Retrieve the MAC Address of server 75 Figure 4.16 Retrieve the data directory of server 77 Figure 4.17 SNORT 87 Figure 4.18 SNORT 94 Figure 4.19 SNORT rules detect the SQL injection attack 95 Figure 4.20 SNORT rules detect the SQL injection attack 98 Figure 4.21 SNORT 98 Figure 4.22 SNORT rules that were not able to detect the SQL injection attack 102 Figure 4.23 SNORT rules detect the SQL injection attack 102 7
Figure 4.24 SNORT rule 104 Figure 4.25 SNORT rules detect the SQL injection attack 105 Figure 4.26 SNORT rules detect the SQL injection attack 108 Figure 4.27 SNORT 108 8
LIST OF TABLES Tables Title Page Table 2.1 The description of SNORT rule content 24 Table 2.2 Comparisons of the illustrated approaches that focus in SQL injection Attacks which is similar to our contributions approaches 37 Table 4.1 General SQL injection symbols or keywords which can be used by attackers 52 Table 4.2 Summary Table of SQL injections and SNORT rules 78 Table 4.3 The normal websites examples 90 Table 4.4 Summary Table for Comparing Study 109 9
LIST OF ABBREVIATIONS IDS DVWA NIDS WAN LAN SQL TCP UDP ICMP GUI IP XSS, CSS SQLIA HTTP ACK SYN Intrusion Detection System Damn Vulnerable Web Application Network Intrusion Detection System Wide Area Network Local Area Network Structured Query Language Transmission Control Protocol User Datagram Protocol Internet Control Message Protocol Graphical User Interface Internet Protocol Cross-Site Scripting Structured Query Language Injection Attack Hypertext Transfer Protocol Acknowledge Synchronize 10
Abstract Hussein Azmi AlNabulsi, Developing SNORT Rules for Detection and Protection Against SQL Injection Attacks, Department of Computer Engineering, Yarmouk University, 2013. (Supervisor: Dr. Mohammed Al-Jarrah, CO-Advisor: Dr. Izzat AlSmadi) An Intrusion Detection System (IDS) for computer networks is capable of alerting the systems administrators on potential attacks. By using SQL injection attacks, attackers could retrieve important information from s of web servers. We studied and proposed effective methods to detect possible attacks against web applications specially SQL injection. In this research we discussed techniques for detecting SQL Injection attacks in the networks, and how to detect these attacks using SNORT tool. SNORT which is open source IDS, is used to compose regular expression-based rules for detecting attacks. We evaluated several techniques to show how SQL injection attacks can be conducted and accomplished. We also demonstrated using different examples how such attacks can be detected using SNORT tool. A case study of several websites is evaluated to demonstrate how SQL injection attacks can be conducted and how hackers can use methods of SQL injection to attack web applications. The increase in size and types of SQL injection attacks conducted and detected recently proved the importance of this research. We evaluated several alternatives for SNORT rules that can detect and alert users or system administrators about those attacks. Different experiments with different methods of SQL injection attacks are evaluated as part of an assessment study in this thesis. 11