cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

554
Views
0
Helpful
1
Replies
Jay Cambell
Beginner

Reading IPS Events

What tool can I use to read the hex decimal ?  I see the sig version but I would like to read the code.

evIdsAlert: eventId=1335933535873620518 severity=low vendor=Cisco

  originator:

    hostId: IPS

    appName: sensorApp

    appInstanceId: 435

  time: 2013/01/28 18:02:26 2013/01/28 18:07:26 EST

  signature: description=SQL Query in HTTP Request id=5474 created=20050412 type=vulnerability version=S585

    subsigId: 0

    sigDetails: SELECT...FROM

    marsCategory: Penetrate/SQLInjection

  interfaceGroup: vs0

  vlan: 0

  participants:

    attacker:

      addr: locality=OUT 10.0.4.64

      port: 63280

    target:

      addr: locality=OUT 98.137.201.232

      port: 80

      os: idSource=learned relevance=relevant type=linux

  context:

    fromTarget:

000000  4C 1A ED 8C C2 FE A4 4E  0E 15 4A 0F 14 68 65 4D  L......N..J..heM

000010  0B D4 19 D9 08 A5 8D 6F  AA 46 0A DF 84 A4 EB DA  .......o.F......

000020  56 D8 1E E8 A5 46 8B 40  0F 5D B3 07 CA 1F 03 04  V....F.@.]......

000030  2B 78 4B 5E 93 97 1C B2  64 C6 3F B2 22 DB 6C DE  +xK^....d.?.".l.

000040  D3 F5 C3 94 4F 01 80 0A  1D 82 1A 2F A9 E9 B4 0F  ....O....../....

000050  00 30 80 CA D8 56 F8 CF  D0 51 DA AE DD 21 DF 16  .0...V...Q...!..

000060  F9 B2 87 AC 48 58 D9 8A  6F 71 C0 19 F5 E5 BF 02  ....HX..oq......

000070  A5 BC F1 8C DF 47 3C 9A  B1 88 45 9C 96 52 28 B5  .....G<...E..R(.

000080  13 F2 EB EE 4A 86 E7 48  7C 25 43 8C C4 6C 44 A4  ....J..H|%C..lD.

000090  45 E1 71 4F 62 02 94 F1  31 65 63 98 AF D8 3C A6  E.qOb...1ec...<.

0000A0  3C 66 AC 20 23 A2 84 3E  04 17 F5 78 9D 07 69 D1  <f. #..>...x..i.

0000B0  75 CA BB DB 91 BF 6F 17  BA 32 37 E9 8D 17 2A 6F  u.....o..27...*o

0000C0  B4 C4 A5 70 3E 47 D4 01  A3 01 19 8C 61 FF 09 F3  ...p>G......a...

0000D0  2B 0D 0A 38 0D 0A 00 00  01 00 FE FF 29 02 0D 0A  +..8........)...

0000E0  33 0D 0A C8 1A 20 0D 0A  65 0D 0A 40 00 00 00 FF  3.... ..e..@....

0000F0  FF 0D F7 2B CE 7E 01 00  00 0D 0A 30 0D 0A 0D 0A  ...+.~.....0....

    fromAttacker:

000000  64 30 31 36 53 58 6C 4F  65 6D 64 34 54 57 70 4E  d016SXlOemd4TWpN

000010  4D 30 35 6E 4C 53 30 42  59 51 46 52 51 55 55 42  M05nLS0BYQFRQUUB

000020  5A 77 46 55 4D 6B 39 43  54 6B 4A 4E 55 7A 4A 47  ZwFUMk9CTkJNUzJG

000030  51 6A 59 7A 56 30 5A 61  52 6C 5A 57 55 55 4E 56  QjYzV0ZaRlZWUUNV

000040  51 54 51 7A 4E 41 46 30  61 58 41 42 52 7A 56 61  QTQzNAF0aXABRzVa

000050  5A 45 52 42 41 58 70 36  41 54 46 79 63 6B 4A 53  ZERBAXp6ATFyckJS

000060  51 6B 45 33 52 51 2D 2D  26 61 66 3D 51 55 46 42  QkE3RQ--&af=QUFB

000070  51 30 46 44 51 55 52 43  4F 55 46 48 51 55 4A 42  Q0FDQURCOUFHQUJB

000080  52 45 46 4C 51 55 39 46  63 30 31 75 4A 6E 52 7A  REFLQU9Fc01uJnRz

000090  50 54 45 7A 4E 54 6B 7A  4F 54 55 31 4E 7A 4D 6D  PTEzNTkzOTU1NzMm

0000A0  63 48 4D 39 4E 44 5A 48  62 47 31 69 4E 7A 46 58  cHM9NDZHbG1iNzFX

0000B0  52 7A 6C 6E 55 6B 64 36  4F 55 74 61 51 56 6C 70  RzlnUkd6OUtaQVlp

0000C0  5A 79 30 74 0D 0A 0D 0A  47 45 54 20 2F 76 31 2F  Zy0t....GET /v1/

0000D0  63 6F 6E 73 6F 6C 65 2F  79 71 6C 3F 71 3D 73 65  console/yql?q=se

0000E0  6C 65 63 74 25 32 30 2A  25 32 30 66 72 6F 6D 25  lect%20*%20from%

0000F0  32 30 73 6F 63 69 61 6C  2E 6E 6F 74 69 66 69 63  20social.notific

  alertDetails: InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ;

  riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 47

  threatRatingValue: 47

  interface: backplane=GigabitEthernet0/1 context=single_vf physical=Unknown GigabitEthernet0/1

  protocol: tcp

1 REPLY 1
sawgupta
Beginner

Well,

In the end section of "fromAttacker" data, there is

"select * from social.notific"

This signature fires when there is SQL query in HTTP request.

Hope this helps.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
Content for Community-Ad