From f7d42af046d26f8ab03e9505390cfe0a4d08ae21 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Fri, 29 Oct 2010 11:00:23 +0000
Subject: [PATCH] some fixes regarding --check-payload
---
lib/utils/checkpayload.py | 9 +++------
xml/phpids_rules.xml | 2 +-
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/lib/utils/checkpayload.py b/lib/utils/checkpayload.py
index 4b619ce5b..8e1556bc8 100644
--- a/lib/utils/checkpayload.py
+++ b/lib/utils/checkpayload.py
@@ -50,9 +50,6 @@ def checkPayload(payload):
if payload:
for rule, desc in rules:
- try:
- regObj = getCompiledRegex(rule)
- if regObj.search(payload):
- logger.warn("highly probable IDS/IPS detection: '%s: %s'" % (desc, payload))
- except: # Some issues with some regex expressions in Python 2.5
- pass
+ regObj = getCompiledRegex(rule)
+ if regObj.search(payload):
+ logger.warn("highly probable IDS/IPS detection: '%s: %s'" % (desc, payload))
diff --git a/xml/phpids_rules.xml b/xml/phpids_rules.xml
index 118a5f491..8594dee06 100644
--- a/xml/phpids_rules.xml
+++ b/xml/phpids_rules.xml
@@ -56,7 +56,7 @@
</filter>
<filter>
<id>45</id>
- <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)]]></rule>
+ <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]+)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)]]></rule>
<description>Detects basic SQL authentication bypass attempts 2/3</description>
<tags>
<tag>sqli</tag>