Irregular Expressions

Aug 16 2010   5:02PM GMT

The SQL CAST statement..

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

http://isc.sans.edu/diary.html?storyid=9397

I have played with this before, the most effective method I found of blocking these was looking for the CAST statement itself.

The statement at least from the ones that I was playing with all had a “CAST”, “SET”, “VARCHAR”, and “EXEC”.  I found that some of vendors seem to be looking for the HEX or some mix because I made variations of the HEX made over and over again until it made its way through with the same SELECT statement.  I found the best way to detect these events was to look for the “CAST” with the other markers, in my case there was no use for “CAST” in my network so I just started to alert on all of that.

This is a good break down and decode, its worth reading!

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: