suricata/rules: don't drop SQL queries between containers

ANSSI-FR · Sep 7, 2024 · f81d979 · f81d979
1 parent a9531dc
commit f81d979
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules
@@ -164,11 +164,11 @@ rejectboth ip any any -> any any (msg: "Found PHP '$_POST'"; flow:to_server; con
 rejectboth ip any any -> any any (msg: "Found PHP 'echo system'"; flow:to_server; content: "echo system"; nocase; metadata: tag PHP system(), color warning; sid: 4305;)
 rejectboth ip any any -> any any (msg: "Found PHP 'file_get_contents' call"; flow:to_server; content: "file_get_contents"; nocase; metadata: tag PHP f_g_c(), color warning; sid: 4306;)
 rejectboth ip any any -> any any (msg: "Found PHP 'halt_compiler' call"; flow:to_server; content: "halt_compiler"; nocase; metadata: tag PHP h_c(), color warning; sid: 4307;)
-rejectboth ip any any -> any any (msg: "Found SQL 'SELECT . FROM '"; flow:to_server; content: "SELECT "; nocase; content: " FROM "; nocase; within: 256; metadata: tag SQL SELECT, color warning; sid: 4351;)
+alert ip any any -> any any (msg: "Found SQL 'SELECT . FROM '"; flow:to_server; content: "SELECT "; nocase; content: " FROM "; nocase; within: 256; metadata: tag SQL SELECT, color warning; sid: 4351;)
 rejectboth ip any any -> any any (msg: "Found SQL 'SELECT . FROM ' (URL encoded)"; flow:to_server; content: "SELECT+"; nocase; content: "+FROM+"; nocase; within: 256; metadata: tag SQL SELECT, color warning; sid: 4352;)
 rejectboth ip any any -> any any (msg: "Found SQL 'array_to_string'"; flow:to_server; content: "array_to_string"; nocase; metadata: tag SQL A2S, color warning; sid: 4353;)
 rejectboth ip any any -> any any (msg: "Found SQL 'regexp_count'"; flow:to_server; content: "regexp_count"; nocase; metadata: tag SQL REGC, color warning; sid: 4354;)
-rejectboth ip any any -> any any (msg: "Found SQL ' LIMIT 1'"; flow:to_server; content: " LIMIT 1"; nocase; metadata: tag SQL LIM1, color warning; sid: 4355;)
+alert ip any any -> any any (msg: "Found SQL ' LIMIT 1'"; flow:to_server; content: " LIMIT 1"; nocase; metadata: tag SQL LIM1, color warning; sid: 4355;)
 rejectboth ip any any -> any any (msg: "Found SQL ' LIMIT 1' (URL encoded)"; flow:to_server; content: "+LIMIT+1"; nocase; metadata: tag SQL LIM1, color warning; sid: 4356;)
 rejectboth ip any any -> any any (msg: "Found SQL '::bytea'"; flow:to_server; content: "|3A 3A|bytea"; nocase; metadata: tag SQL BYTEA, color warning; sid: 4357;)
 rejectboth ip any any -> any any (msg: "Found SQL 'CAST(. as bytea)'"; flow:to_server; content: "CAST("; content: " as bytea)"; nocase; metadata: tag SQL CAST, color warning; sid: 4358;)