I am having a frequent issue of the SQL-INJ signatures matching and alarming on content that has no resemblance of a SQL injection attack.
Here is an example:
This flagged attack signature 200002175 - SQL-INJ create table.
Every day I get a couple thousand of these sort of false positives. If I disable on parameter then eventually I will have no paramaters being protected.
Thanks for responding.
Have you found a way to look into the reg-ex that makes up that rule? I'd love to see the 'source' of some of these rules.
,'SQL-INJ create table','paramcontent:\"create\"; nocase; norm; paramcontent:\"table\"; norm; nocase; distance:0; pcre:\"/^[^=]*=.*?(?:\\x22|\'|\\(|\\)|=|;|--|#|\\+|\\/\\*)/Psi\";