Reading IPS Events

Jay Cambell · ‎01-28-2013

What tool can I use to read the hex decimal ? I see the sig version but I would like to read the code.

evIdsAlert: eventId=1335933535873620518 severity=low vendor=Cisco

originator:

hostId: IPS

appName: sensorApp

appInstanceId: 435

time: 2013/01/28 18:02:26 2013/01/28 18:07:26 EST

signature: description=SQL Query in HTTP Request id=5474 created=20050412 type=vulnerability version=S585

subsigId: 0

sigDetails: SELECT...FROM

marsCategory: Penetrate/SQLInjection

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: locality=OUT 10.0.4.64

port: 63280

target:

addr: locality=OUT 98.137.201.232

port: 80

os: idSource=learned relevance=relevant type=linux

context:

fromTarget:

000000 4C 1A ED 8C C2 FE A4 4E 0E 15 4A 0F 14 68 65 4D L......N..J..heM

000010 0B D4 19 D9 08 A5 8D 6F AA 46 0A DF 84 A4 EB DA .......o.F......

000020 56 D8 1E E8 A5 46 8B 40 0F 5D B3 07 CA 1F 03 04 V....F.@.]......

000030 2B 78 4B 5E 93 97 1C B2 64 C6 3F B2 22 DB 6C DE +xK^....d.?.".l.

000040 D3 F5 C3 94 4F 01 80 0A 1D 82 1A 2F A9 E9 B4 0F ....O....../....

000050 00 30 80 CA D8 56 F8 CF D0 51 DA AE DD 21 DF 16 .0...V...Q...!..

000060 F9 B2 87 AC 48 58 D9 8A 6F 71 C0 19 F5 E5 BF 02 ....HX..oq......

000070 A5 BC F1 8C DF 47 3C 9A B1 88 45 9C 96 52 28 B5 .....G<...E..R(.

000080 13 F2 EB EE 4A 86 E7 48 7C 25 43 8C C4 6C 44 A4 ....J..H|%C..lD.

000090 45 E1 71 4F 62 02 94 F1 31 65 63 98 AF D8 3C A6 E.qOb...1ec...<.

0000A0 3C 66 AC 20 23 A2 84 3E 04 17 F5 78 9D 07 69 D1 <f. #..>...x..i.

0000B0 75 CA BB DB 91 BF 6F 17 BA 32 37 E9 8D 17 2A 6F u.....o..27...*o

0000C0 B4 C4 A5 70 3E 47 D4 01 A3 01 19 8C 61 FF 09 F3 ...p>G......a...

0000D0 2B 0D 0A 38 0D 0A 00 00 01 00 FE FF 29 02 0D 0A +..8........)...

0000E0 33 0D 0A C8 1A 20 0D 0A 65 0D 0A 40 00 00 00 FF 3.... ..e..@....

0000F0 FF 0D F7 2B CE 7E 01 00 00 0D 0A 30 0D 0A 0D 0A ...+.~.....0....

fromAttacker:

000000 64 30 31 36 53 58 6C 4F 65 6D 64 34 54 57 70 4E d016SXlOemd4TWpN

000010 4D 30 35 6E 4C 53 30 42 59 51 46 52 51 55 55 42 M05nLS0BYQFRQUUB

000020 5A 77 46 55 4D 6B 39 43 54 6B 4A 4E 55 7A 4A 47 ZwFUMk9CTkJNUzJG

000030 51 6A 59 7A 56 30 5A 61 52 6C 5A 57 55 55 4E 56 QjYzV0ZaRlZWUUNV

000040 51 54 51 7A 4E 41 46 30 61 58 41 42 52 7A 56 61 QTQzNAF0aXABRzVa

000050 5A 45 52 42 41 58 70 36 41 54 46 79 63 6B 4A 53 ZERBAXp6ATFyckJS

000060 51 6B 45 33 52 51 2D 2D 26 61 66 3D 51 55 46 42 QkE3RQ--&af=QUFB

000070 51 30 46 44 51 55 52 43 4F 55 46 48 51 55 4A 42 Q0FDQURCOUFHQUJB

000080 52 45 46 4C 51 55 39 46 63 30 31 75 4A 6E 52 7A REFLQU9Fc01uJnRz

000090 50 54 45 7A 4E 54 6B 7A 4F 54 55 31 4E 7A 4D 6D PTEzNTkzOTU1NzMm

0000A0 63 48 4D 39 4E 44 5A 48 62 47 31 69 4E 7A 46 58 cHM9NDZHbG1iNzFX

0000B0 52 7A 6C 6E 55 6B 64 36 4F 55 74 61 51 56 6C 70 RzlnUkd6OUtaQVlp

0000C0 5A 79 30 74 0D 0A 0D 0A 47 45 54 20 2F 76 31 2F Zy0t....GET /v1/

0000D0 63 6F 6E 73 6F 6C 65 2F 79 71 6C 3F 71 3D 73 65 console/yql?q=se

0000E0 6C 65 63 74 25 32 30 2A 25 32 30 66 72 6F 6D 25 lect%20*%20from%

0000F0 32 30 73 6F 63 69 61 6C 2E 6E 6F 74 69 66 69 63 20social.notific

alertDetails: InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ;

riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 47

threatRatingValue: 47

interface: backplane=GigabitEthernet0/1 context=single_vf physical=Unknown GigabitEthernet0/1

protocol: tcp

sawgupta · ‎01-28-2013

Well,

In the end section of "fromAttacker" data, there is

"select * from social.notific"

This signature fires when there is SQL query in HTTP request.

Hope this helps.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta