This rule was written to help identify any exploits being made for the MySQL vulnerability recently found http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-6662-advisory-recent-mysql-code-executionprivilege-escalation-zero-day-vulnerability/
So I have created a rule that contains the following.
MySQL exploit attempt CVE-2016-6662
query contains 'unhex' || query contains '67656e6572616c5f6c6f675f66696c65' || query contains '2e636e66' || query contains '6e6d616c6c6f635f6c6962' || query contains 'global_log_dir' || query contains 'nmalloc_lib' || extension = 'cnf'
I looked at the snort rules from the emerging threat ruleset and looked for the relevant content that could be used to search for on RSA and this is what I came up with.
This has generated a few false positives based on the hex values, but so far I’m happy with what it has been identifying