• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Triggering Suricata rules


Entry Level
I expected to see SQL injection attempts against our web servers, so when Suricata didn't show any I grew suspicious.  I know it's catching traffic, because other alerts are triggering. I decided to try triggering a rule myself, and chose this one from emerging-web_server.rules:
alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI"; flow:established,to_server; uricontent:"EXEC"; nocase; uricontent:"xp_cmdshell"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; reference:url,doc.emergingthreats.net/2009815; classtype:web-application-attack; sid:2009815; rev:5;)

If I understand this correctly, attempting to load "http://<web_server_external_ip>/EXEC xp_cmdshell" in a browser should trigger this rule, but it doesn't trigger any messages on the SIEM page.  Any ideas?

Share post:

This discussion has been closed.