Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1592
Views
0
Helpful
2
Replies

Generic SQL Injection in HTTP Request

rcwally5192
Level 1
Level 1

‎09-01-2010 10:42 AM

  So our project allows Facebook interaction.  Mars sends out this  Incident Event type every time someone attaches to Facebook.  Is this something I can just False Positive out or should I be concerned about it?  What is Facebook sending back to our network so we get this message on Mars?

Labels:
0 Helpful
2 Replies 2

Jia Liu
Cisco Employee
Cisco Employee

‎09-01-2010 04:56 PM

Which device is sending this alert to MARS?  If it's an IPS sensor, check the description of the signature to see what kind of behavior will trigger the alert.  To see what Facebook is sending back to your network, you can do a sniffer trace and analyze the packets.

0 Helpful

avanzaadmin
Level 1
Level 1

‎09-02-2010 01:08 AM

I get numerous alerts from our IDSMs and have mitigated this by

1: not allowing the IDSMs to block our outgoing traffic at all. Not worth the risk causing major outage.

2: created av drop in MARS that drops all SQL Injections destined for the Facebook subnets. (69.63.176.1-69.63.183.254,  66.220.144.1-66.220.159.255)

Regards

Fredrik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents