IPS Notification Details

TM13 · ‎11-25-2014

Our IPS showing LOW level severity only -

IP Address DNS Name Alerts Percentage
1 173.252.112.23 edge-star-shv-03-ash5.facebook.com 16 40.00%
2 206.190.37.99 yts2.yql.vip.gq1.yahoo.com 11 27.50%
3 206.190.36.34 yts1.yql.vip.gq1.yahoo.com 6 15.00%
4 98.138.243.55 yts1.yql.vip.ne1.yahoo.com 3 7.50%
5 78.46.174.36 unknown 2 5.00%
6 106.10.137.175 yts2.yql.vip.sg3.yahoo.com 2 5.00%
Total 40 100%

No. Signature ID/Sub-ID Signature Name Alerts Percentage
1 5474/0 SQL Query in HTTP Request 7 100.00%
Total 7 100%

https://www.robtex.com/en/advisory/dns/net/yahoodns/a06/query/internal/any-cache/

There is no much information on the Cisco site.

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=5474&signatureSubId=1&softwareVersion=6.0&releaseVersion=S472

What actions need to be taken from our side? and consider about

leandro10 · ‎12-24-2014

Im having the same issue. I see signature 5474 tripping internally and going out to 98.137.201.232, 206.190.37.99, and some other yahoo IP's.

Please advice what are the recommended actions to take

Maykol Rojas · ‎01-05-2015

This is not harmful as far as I can see.

The IPS will just generate the alert in case there is the word "Insert" on an HTTP header. As the signature suggest is just generate when that keyword is seeing.

If you want to further investigate this, you may need to turn on the action that says "Log pair packets" to see the request and see exactly what the user is doing.

Mike

TM13 · ‎01-05-2015

Thanks Maykol, just enabled, lets see what we can get :)

TM13 · ‎01-12-2015

Action	IP Logging Activated,Log Attacker Packets Activated,Log Victim Packets Activated,Log Pair Packets Activated
Alert Details	InterfaceAttributes: context="" physical="Unknown" backplane="GigabitEthernet0/1" ;
App Name	sensorApp
Backplane Interface	GigabitEthernet0/1
Description	SELECT...FROM
Destination	206.190.37.99
Destination Locality	OUT
Destination OS	unknown
Destination OS Relevance	unknown
Destination OS Source	unknown
Destination Service	tcp/80
Device
Event ID	41237174517
Event Name	SQL Query in HTTP Request
Event Type ID	5474/0
Generation Time	1/13/15 9:58:59 AM
Host ID
IPS Category	vulnerability
Ip Log Id	9110,9113,9114
Physical Interface	Unknown
Protocol	tcp
Receive Time	1/13/15 9:58:15 AM
Risk Rating	42
Security Context
Sensor Event ID	1399639605815150704
Severity	Low (IPS)
Sig ID	5474
Signature Version	S585
Source
Source Context Data	Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 1970-01-01 07:23:41.114 ---- Ether: Ether: dst = 67:32:4d:32:64:4a Ether: src = 71:36:42:78:25:32 Ether: proto = 0x3225 Ether: Data: 032 43 25 32 32 5f 77 25 32 32 25 33 41 25 32 32 2C%22_w%22%3A%22 Data: 073 70 6f 72 74 73 2e 79 61 68 6f 6f 2e 63 6f 6d sports.yahoo.com Data: 025 32 46 6e 62 61 25 32 46 64 65 74 72 6f 69 74 %2Fnba%2Fdetroit Data: 02d 70 69 73 74 6f 6e 73 2d 74 6f 72 6f 6e 74 6f -pistons-toronto Data: 02d 72 61 70 74 6f 72 73 2d 32 30 31 35 30 31 31 -raptors-2015011 Data: 032 32 38 25 32 46 25 32 32 25 32 43 25 32 32 78 228%2F%22%2C%22x Data: 025 32 32 25 33 41 25 32 32 31 32 37 25 32 32 25 %22%3A%22127%22% Data: 032 43 25 32 32 73 73 6c 25 32 32 25 33 41 25 32 2C%22ssl%22%3A%2 Data: 032 30 25 32 32 25 32 43 25 32 32 6a 75 72 69 73 20%22%2C%22juris Data: 025 32 32 25 33 41 25 32 32 55 53 25 32 32 25 32 %22%3A%22US%22%2 Data: 043 25 32 32 6c 61 6e 67 25 32 32 25 33 41 25 32 C%22lang%22%3A%2 Data: 032 65 6e 2d 55 53 25 32 32 25 32 43 25 32 32 6c 2en-US%22%2C%22l Data: 070 73 74 61 69 64 25 32 32 25 33 41 25 32 32 25 pstaid%22%3A%22% Data: 032 32 25 32 43 25 32 32 6d 72 6b 74 25 32 32 25 22%2C%22mrkt%22% Data: 033 41 25 32 32 55 53 25 32 32 25 32 43 25 32 32 3A%22US%22%2C%22 Data: 070 63 pc Data:
Source Interface	GigabitEthernet0/1
Source Locality	OUT
Source Service	tcp/50311
Sub SigId	0
Target Value Rating	medium
Threat Rating	42
TimeZone	GMT+08:00
UTC Offset	480
VLAN Id	0
Virtual Sensor	vs0

Action	IP Logging Activated,Log Attacker Packets Activated,Log Victim Packets Activated,Log Pair Packets Activated
Alert Details	InterfaceAttributes: context="" physical="Unknown" backplane="GigabitEthernet0/1" ;
App Name	sensorApp
Backplane Interface	GigabitEthernet0/1
Description	SELECT...FROM
Destination	98.138.243.53
Destination Locality	OUT
Destination OS	unknown
Destination OS Relevance	unknown
Destination OS Source	unknown
Destination Service	tcp/80
Device
Event ID	41237138752
Event Name	SQL Query in HTTP Request
Event Type ID	5474/0
Generation Time	1/13/15 9:58:34 AM
Host ID
IPS Category	vulnerability
Ip Log Id	9110,9111,9117
Physical Interface	Unknown
Protocol	tcp
Receive Time	1/13/15 9:57:50 AM
Risk Rating	42
Security Context
Sensor Event ID	1399639605815150684
Severity	Low (IPS)
Sig ID	5474
Signature Version	S585
Source
Source Context Data	Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 1970-01-01 07:23:41.114 ---- Ether: Ether: dst = 71:3d:73:65:6c:65 Ether: src = 63:74:25:32:30:2a Ether: proto = 0x2532 Ether: Data: 030 66 72 6f 6d 25 32 30 78 25 32 30 77 68 65 72 0from%20x%20wher Data: 065 25 32 30 61 25 32 30 25 33 44 25 32 30 27 37 e%20a%20%3D%20'7 Data: 05a 6c 66 62 39 73 32 46 38 61 25 32 46 69 71 43 Zlfb9s2F8a%2FiqC Data: 062 33 55 52 4a 4a 44 75 4a 34 7a 73 6e 51 31 64 b3URJJDuJ4zsnQ1d Data: 073 25 32 46 54 50 55 66 66 64 65 44 45 56 41 30 s%2FTPUffdeDEVA0 Data: 062 54 4d 68 68 49 46 6b 72 4a 6e 46 50 33 75 4f bTMhhIFkrJnFP3uO Data: 035 51 63 52 38 33 69 4a 5QcR83iJ Data:
Source Interface	GigabitEthernet0/1
Source Locality	OUT
Source Service	tcp/50147
Sub SigId	0
Target Value Rating	medium
Threat Rating	42
TimeZone	GMT+08:00
UTC Offset	480
VLAN Id	0
Virtual Sensor	vs0

Action	IP Logging Activated,Log Attacker Packets Activated,Log Victim Packets Activated,Log Pair Packets Activated
Alert Details	InterfaceAttributes: context="" physical="Unknown" backplane="GigabitEthernet0/1" ;
App Name	sensorApp
Backplane Interface	GigabitEthernet0/1
Description	SELECT...FROM
Destination	173.252.112.23
Destination Locality	OUT
Destination OS	unknown
Destination OS Relevance	unknown
Destination OS Source	unknown
Destination Service	tcp/80
Device
Event ID	41223114312
Event Name	SQL Query in HTTP Request
Event Type ID	5474/0
Generation Time	1/13/15 6:29:52 AM
Host ID
IPS Category	vulnerability
Ip Log Id	8879,8880,8881
Physical Interface	Unknown
Protocol	tcp
Receive Time	1/13/15 6:29:12 AM
Risk Rating	42
Security Context	skymedia
Sensor Event ID	1399639605815142222
Severity	Low (IPS)
Sig ID	5474
Signature Version	S585
Source
Source Context Data	Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 1970-01-01 07:23:41.101 ---- Ether: Ether: dst = 47:45:54:20:2f:66 Ether: src = 71:6c:3f:71:3d:53 Ether: proto = 0x454c Ether: Data: 045 43 54 25 32 30 75 72 6c 2c 25 32 30 6e 6f 72 ECT%20url,%20nor Data: 06d 61 6c 69 7a 65 64 5f 75 72 6c 2c 25 32 30 73 malized_url,%20s Data: 068 61 72 65 5f 63 6f 75 6e 74 2c 25 32 30 6c 69 hare_count,%20li Data: 06b 65 5f 63 6f 75 6e 74 2c 25 32 30 63 6f 6d 6d ke_count,%20comm Data: 065 6e 74 5f 63 6f 75 6e 74 2c 25 32 30 74 6f 74 ent_count,%20tot Data: 061 6c 5f 63 6f 75 6e 74 2c 63 6f 6d 6d 65 6e 74 al_count,comment Data: 073 62 6f 78 5f 63 6f 75 6e 74 2c 25 32 30 63 6f sbox_count,%20co Data: 06d 6d 65 6e 74 73 5f 66 62 69 64 2c 25 32 30 63 mments_fbid,%20c Data: 06c 69 63 6b 5f 63 6f 75 6e 74 25 32 30 46 52 4f lick_count%20FRO Data: 04d 25 32 30 6c 69 6e 6b 5f 73 74 61 74 25 32 30 M%20link_stat%20 Data: 057 48 45 52 45 WHERE Data:
Source Interface	GigabitEthernet0/1
Source Locality	OUT
Source Service	tcp/57260
Sub SigId	0
Target Value Rating	medium
Threat Rating	42
TimeZone	GMT+08:00
UTC Offset	480
VLAN Id	0
Virtual Sensor	vs0

TM13 · ‎01-20-2015

Anyon who can read this?