Solved: IPS notification question

ALIAOF_ · ‎10-18-2012

Can some one tell me what exactly these two log notifiations mean:

event_id = 1349377765028007908

severity = medium

app_name = sensorApp

receive_time = 10/18/2012 09:00:31

event_time = 10/18/2012 14:00:30

sensor_local_time = 10/18/2012 08:06:30

sig_name = Generic SQL Injection

sig_details = Insert Into

attacker_ip = 10.1.132.38

attacker_port = 57776

victim_ip = 1.1.1.1 (This is an outside website IP)

victim_port = 80

summary_type =

actions =

---------------------------------------------------------------------------------------

event_id = 1349377765028007989

severity = high

app_name = sensorApp

receive_time = 10/18/2012 11:47:11

event_time = 10/18/2012 16:47:10

sensor_local_time = 10/18/2012 10:53:10

sig_name = HTTP args to xp_cmdshell in HTTP Request sig_details = xp_cmdshell attacker_ip = 10.1.136.72 attacker_port = 54239 victim_ip = 66.235.132.232 victim_port = 80 summary_type = Regular actions =

It seems like some times when users are browsing sites this notifciation gets generated I'd like to get better understanding of it. Second error is actually from my own laptop and the public IP belongs to Adobe.

mhellman · ‎10-18-2012

Unless you concerned about your internal users attacking external websites, you should create an event action filter for these when sourced from your own network. If you don't, you will see a ton of them in normal traffic (Yahoo is a big one that has query paramaters that look like SQL injection when using a very simply signature such as this one).

View solution in original post

mhellman · ‎10-18-2012

Unless you concerned about your internal users attacking external websites, you should create an event action filter for these when sourced from your own network. If you don't, you will see a ton of them in normal traffic (Yahoo is a big one that has query paramaters that look like SQL injection when using a very simply signature such as this one).