Snort not detecting SQL injection alerts despite proper configuration
I’m trying to configure Snort (version 2.9.20) to detect SQL injection attempts. I’ve set up Apache2, PHP (8.3.6), MySQL (8.0.40), and Mutillidae to simulate SQL injection attacks via a form. While Snort successfully detects ICMP (ping) and SSH connection attempts, it fails to trigger alerts for SQL injection attempts.
Here’s what I’ve done so far:
Configured snort.conf and local.rules with rules for SQL injection detection.
Used Mutillidae to inject SQL code via a form to trigger the alerts
Verified with Wireshark that the SQL injection requests are being sent and received.
Confirmed that all services (Snort, Apache2, PHP, MySQL) are running correctly.
Used the following command to monitor logs:
sudo snort -q -l /var/log/snort -i enp0s3 -A console -c /etc/snort/snort.conf
Here’s the content of my local.rules file:
Rule to detect possible SQL injection using inline comments
alert tcp any any -> any any (msg:"Possible SQL Injection — Inline Comments Detected"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/"; http_uri; pcre:"/?.*( — |#|/*)/"; sid:1000001;)
Rule to detect boolean-based SQL injection
alert tcp any any -> any any (msg:"Possible Boolean-based Blind SQL Injection Attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/"; http_uri; pcre:"/?.(\bselect\b|\bunion\b|\band\b|\bor\b)(?:[^=]=){2}[^&]*’/i"; sid:1000002;)
Rule to detect manual injection
alert tcp any any -> any 80 (msg:"Possible SQL Injection — UNION keyword detected"; flow:to_server,established; content:"UNION"; nocase; http_uri; sid:1000003;)
Rule to detect manual injection using the word "or"
alert tcp any any -> any 80 (msg:"Possible Manual Injection detected"; flow:to_server,established; content:"GET"; http_method; content:"?parameter=malicious_keyword"; http_uri; sid:1000004;)
Additional Details
I followed a tutorial from this medium article for guidance.
Mutillidae is being used to simulate the SQL injection attacks.
ICMP and SSH alerts work perfectly, so Snort is running and logging events.
