Ask the Expert

Can Snort stop application-layer attacks?

Can Snort address application-level attacks (SQL injection and cross-site scripting)? Can it be set up to stop these attacks, or can it only detect them?

    Requires Free Membership to View

SQL injection and cross-site scripting (XSS) attacks are the most common application-layer attacks on the Internet. Both attacks succeed when user input is not correctly filtered or validated to ensure that it is within the application's expected bounds. A network-based intrusion detection (IDS) tool such as Snort can be set up to detect certain types of SQL injection and XSS attacks as they occur. Snort actually has a default rule set that contains signatures for detecting these intrusions. However, they can be easily bypassed by an attacker, mainly by converting the malicious input string into its hex-encoded value.

You can take advantage of Perl's compatible regular expressions (pcre), which are supported by Snort, to write your own concise signatures that cover your particular Web application. Various Snort signatures are also available on the Internet for both SQL injection and XSS protection. Visit Network Intelligence for some good examples. Depending upon how your Web site is structured, signature-based detection can lead to a high number of false positives. For that reason, you may have to tune these signatures to your own requirements. Unfortunately, since most SQL statements are created dynamically by a Web application, each one may be different. This diversity makes it difficult to implement effective signatures. Although Snort can be deployed as a full-blown network intrusion prevention system, with real-time alerting capabilities, it can't stop a sophisticated SQL injection or XSS attack. So even though Snort can add an important layer of defense for your application, it doesn't fix the underlying problem of poorly written applications.

A more efficient and effective technique is to try to eliminate SQL injection and XSS holes in-house. Firstly, implement a secure software development lifecycle methodology for your Web applications. Better programming practices such as code reviews, input validation and SQL parameter binding will all make your applications more robust. On larger projects, you may want to use automatic source code scanning tools.

Next, ensure that your Web server and your database server have been hardened. Never use root access when connecting to the database. It's important to ensure that users do not have privileged access to tables and views. Certainly deny them access to special system utilities and system-stored procedures.

Finally, before launching a Web application, carry out a penetration test to assess whether your methodologies have been implemented correctly. Depending on your budget and the value of your data, you may want to augment your defenses with a database extrusion-prevention (DBEP) product. Often referred to as database firewalls, they function more like a network behavior anomaly detection (NBAD) system than a simple firewall or IDS, preventing unauthorized access based on user roles and detecting abnormal user activity.

More information:

  • Check out SearchSecurity.com's Snort Intrusion Detection and Prevention Guide.
  • Ed Skoudis explains how the cross-site scripting threat has evolved.
  • This was first published in October 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: