cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1476
Views
0
Helpful
2
Replies

5474/0 filtering

mark.barrett
Level 1
Level 1

I'm getting a lot of 5474/0 alarms (SQL query in HTTP request) due to people surfing to Yahoo. Is there a good way to set a filter on the IDS so the alarm is not generated from certain sites?

2 Replies 2

Luis Silva Benavides
Cisco Employee
Cisco Employee

Hi Mark,

The signature is catching anything that makes an SQL select query inside  HTTP.  The fidelity/FP issue for this signature is it might occasionally match a non-SQL query.  This is only in the HTTP engine,  so it will not match direct DB communication, only that over HTTP.   The risk rating on this signature is not large since the severity is 

low.  This signature is best usable by MARS or other post-analysis, or  as an element of a meta signature.

You can also do an event action filter.

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.html

HTH,

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva

I should have also mentioned that the Yahoo traffic does contain SQL language which is causing the alarm to trigger. I would like to filter out sites such as Yahoo, but still let the alarm trigger on other sites. If I were to use an event action filter, it would allow me to filter by source IP but I'm trying to find a way to filter by URL contained in the packet / destination.

The only way I can do this now is with Splunk or some other method that does not involve the IPS. The drawback to this method is the alarms have already triggered, and it requires additional analysis to filter out the false positive alarms. It's not possible to make an event action filter based on the destination IP because this IP is always the Proxy address or some other internal network address that's part of the normal traffic flow.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: