Snort Not Detecting SQL Injection Attempts on Mutilidae [closed]
I have set up a virtual lab using VMware with the following machines:
- Ubuntu (Running Snort for intrusion detection)
- Kali Linux (Used as the attacking machine)
- Metasploitable 2 (Hosting Mutilidae, a vulnerable web application)
All machines are configured to use NAT networking. I installed and configured Snort on the Ubuntu machine, including setting up rules in local.rules to detect SQL injection attempts. However, while Snort successfully detects Nmap scans from Kali Linux, it does not generate alerts for SQL injection attempts made through the Mutilidae web application.
Snort Rule Configuration: Here are the rules I added to /etc/snort/rules/local.rules:
Rule to detect possible SQL injection using inline comments.
alert tcp any any -> any any (msg:"Possible SQL Injection — Inline Comments Detected"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/"; http_uri; pcre:"/\?.*( — |#|\/\*)/"; sid:1000001;)
Rule to detect boolean-based SQL injection.
alert tcp any any -> any any (msg:"Possible Boolean-based Blind SQL Injection Attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/"; http_uri; pcre:"/\?.*(\bselect\b|\bunion\b|\band\b|\bor\b)(?:[^=]*=){2}[^&]*’/i"; sid:1000002;)
Rule to detect manual SQL injection.
alert tcp any any -> any 80 (msg:"Possible SQL Injection — UNION keyword detected"; flow:to_server,established; content:"UNION"; nocase; http_uri; sid:1000003;)
Rule to detect manual injection using the word OR.
alert tcp any any -> any 80 (msg:"Possible Manual Injection detected"; flow:to_server,established; content:"GET"; http_method; content:"?parameter=malicious_keyword"; http_uri; sid:1000004;)
I attempted the following SQL injection attack on Mutilidae’s vulnerable form:
' OR '1'='1' --
To do the configuration I followed an article on medium, here is the link to the article :
