This is an example of how the simple event correlation (sec) can be used to detect SQL tautology attacks. The tutorial assumes that the simple event correlator software has been installed.

In order to allow sec to detect SQL tautology attacks, we have to setup MySQL such that it creates a log file containing the commands that were issued. In order to do so, we modify the MySQL configuration file (usually to be found at /etc/my.cnf) such that it includes the lines:

general-log=1
log = /var/lib/mysql/mysql.log

which instructs MySQL to dump a full log-file containing all the commands that were issued to /var/lib/mysql/mysql.log.

The next step is to create a sec configuration file that will read /var/lib/mysql/mysql.log and detect SQL tautology attacks.

type=Single
ptype=RegExp
pattern=Query\s+(or)|(OR)\s+(.+?)=(.+?)
desc=Tautology Attack
context= =({( $3 == $4 )})
action=write - Tautology Attack

where

• the value passed to pattern is a regular expression that extracts queries from the log file and checks that OR is present and extracts the parameter passed to OR (such as 0=0).
• the value passed to context is a small perl script that will return true, and thus the sec rule will continue, if and only if the third group matches the fourth group. In other words, when we have an SQL tautology attack such as OR 1=1, it will check that 1 is 1.
• finally the value passed to action will just display the text, however, that can be extended to send an e-mail or, more generally, to execute a shell script once the pattern has been matched.