SQLassie


About SQLassie


Overview

SQLassie is a proxy to a database server that analyzes commands in real time as they are sent from your application to the database server. SQLassie parses the queries and looks for suspicious actions that are indicative of injection attacks. These actions are then analyzed using Bayesian filtering to determine the likelihood that a query contains an attack.

If SQLassie determines that a query was an attack, it blocks the query from running and responds to the application with an appropriate message. For example, if an attack is attempting to access user credentials, SQLassie would respond with an empty set packet, and your application would simply think that the query returned no results. Your application and the attacker are none the wiser.

Installation is easy. Just configure SSQLassie to connect to your database server, start SQLassie, and then configure your applications to connect to SQLassie instead of directly to the database server.

Genesis

SQLassie is heavily inspired by GreenSQL. GreenSQL is an excellent idea in theory, but in some cases its false positive rate is unacceptably high. For example, every query that is generated by MediaWiki includes an embedded comment that explains its intent. GreenSQL blocks all queries with comments; this makes MediaWiki unusable with GreenSQL.

SQLassie is currently a work in progress. It works well enough, but there are still things I want to improve before I produce a release candidate. That being said, I've been using to protect a blog, a wiki and a bug tracker for several months with no problems. If you're interested in trying it out for yourself, you can download a release version at GitHub. If you're interested seeing how SQLassie will react to different queries, you can view the demo as well.

Philosophy

Intrusion detection systems should strive to produce as few false positives as possible. Because actual attacks are so rare in practice, even a relatively low overall false positive rate will cause a large number of false alarms. This can desensitize administrators and cause them to ignore alarms or disable the IDS altogether. Therefore, SQLassie's primary goal is to keep the false positive rate as close to 0 as possible.