I was browsing the web tonight and visited KK Mookhey's site http://www.nii.co.in - (broken link) Network Intelligence to see what was new and I found a paper written by KK and Nilesh in 2004 titled "Detection of SQL Injection and Cross-site Scripting Attacks
". This is a great short paper that discusses creating regular-expression based rules for snort, the open source Intrusion Detection System (IDS) for SQL injection and cross site scripting attacks on web based applications. This is a quite an interesting discussion on detecting some simple things such as -- or single quotes. KK and Nilesh show how to create reg expressions including how to detect upper case and lower case and also hex equivalents. They also go deeper into metachars and how to recognise SQL Injection attempts and even looking for the keyword UNION. The paper goes on to talk about detecting CSS attacks as well. This is a great little paper, perhaps slightly date due to the more advanced ways to Inject Oracle and other databases that have been presented recently but this paper is still valid and a good attempt at looking at how a IDS free tool can be used useful against Oracle.