09-09-2008 01:50 PM - edited 03-10-2019 04:17 AM
We occasionally get "5930 - Generic SQL Injection" alerts on our network.
Signature Details: "Union All? Select". Unfortunately I can't find a match for this string in attacker context. I have even looked at PIX logs which contains "x.x.x.x Accessed URL" for possible "Union All? select" as part of the URL but could not find any.
Could you please throw some light on how to determine if this is a genuine attack or not.
Secondly I have seen a lot of similar ones - "Aspirox Injection" alerts don't provide the URL in the attacker context. I need to go and fetch corresponding PIX log to figure out which URL was targetted by this attack.
Could you not capture the entire URL? This alert without URL context is meaningless.
09-09-2008 02:09 PM
I assume you tried setting the detailed/verbose action on this signature. If you already have, try seting the action on signature 5930 to log the attacker packets and the victim packets. You should be able to follow what is happening once you review the capture logs.
09-10-2008 04:51 AM
My research leads me to believe the SQL signatures are pretty accurate. If they fire, someone is trying to do a SQL injection. The real question is how does your database respond? As indicated earlier, capture the data stream but also look at your server and database logs. Has something change in your database?
09-10-2008 10:41 AM
09-13-2008 12:29 AM
The Generic SQL 'does' actually generates a lot of false positives. Currently its complaining about slide.com and its firing for our Network Admin (sittng right next to me). And I'm sure he is not trying to do a SQL injection Attack on slide.com (he does not even know what is SQL injection :).
Regards
Farrukh
09-16-2008 09:23 AM
okay, first of all...you should know that the attacker context will not always have everything you need to make sense of an alarm. In your case it does. If you really want to research something, add one of the "log packets" actions. Here is the regex for that sig:
[uU][nN][iI][oO][nN](%20|\x2b)([aA][lL][lL](%20|\x2b))?[sS][eE][lL][eE][cC][tT]
This part of the regex
([aA][lL][lL](%20|\x2b))?
means that "ALL" is optional.
So, just "union-select" matches. Part of the URL in the provided context is "-union-select-221049.html". You can probably reproduce pretty easily by just entering a fake URL with union-select:
http://www.google.com/union-select
Yes, this is going to have false positives.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide