Snort Rule — Detect the SQLi Pattern
Hard IDS · 40 min
Snort Rule — Detect the SQLi Pattern
Scenario
Your IDS team needs a Snort 3 rule that alerts on HTTP GET requests with the classic SQLi tautology ' OR '1'='1 in the URI. The rule must fire on the request side of any HTTP_PORTS session and assign SID 1000042.
Required rule constraints
| Field | Value | |---|---| | Action | alert | | Protocol | http | | Src | $EXTERNAL_NET any | | Dst | $HTTP_SERVERS $HTTP_PORTS | | Direction | -> | | msg | "TC-LAB SQLi tautology in URI" | | flow | to_server,established | | Match | URI contains ' OR '1'='1 | | sid | 1000042 | | rev | 1 |
Answer format
Submit the rule on a single line, exact spacing:
alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"<...>"; flow:<...>; http_uri; content:"<...>"; sid:<...>; rev:1;)Replace <...> with the correct values. Match the answer canonical format exactly — including the order of options and spacing.
Hints
Hint 1 (−10 pts)
Snort 3 buffer modifier syntax: `http_uri;` placed BEFORE the `content:` directive restricts matching to the URI buffer. Quote the SQLi payload inside `content:"..."`.
Hint 2 (−10 pts)
Order: msg → flow → http_uri → content → sid → rev. Each ends with semicolon. Whole option block wrapped in parens.
Hint 3 (−10 pts)
Full canonical answer: alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TC-LAB SQLi tautology in URI"; flow:to_server,established; http_uri; content:"' OR '1'='1"; sid:1000042; rev:1;)
Lab environment · sandboxed iframe · auto-resets every 60 min