Episode Name: Episode 16 - Mitigating a SQL attack with ASA, IPS and IOS Firewall
Contributors: Blayne Dreier, Jay Johnston, Magnus Mortensen, David White
Posting Date: February 2, 2011
Description:In this episode, the panel discusses SQL attacks against web servers, and how they are detected and mitigated by the IPS appliances. In addition, the panel looks at how you can use the same signatures from the IPS and apply them as regex matches to the http inspection engines on both the ASA and IOS-Firewall.
The above regex pattern is really looking for the following text "UNION ALL SELECT" - where the "ALL" is optional. It will also match on either a space or plus between words. Therefore, all of the following phrases will cause the regex to be matched:
UNION ALL SELECT
UNION SELECT UNION+ALL+SELECT UNION+SELECT
Also note that all of the text can be in any case, and that any space or plus can be either or. Thus the following also matches:
Since the regex can be a little confusing, we have broken it apart to indicate what each section of the regular expression is doing.
One thing to note is that the (%20|\x2b) piece matches on either the URL encoding of a space, or a plus (+) - represented as \x2b in ASCII hexidecmal notation.
This second regex is slightly more complicated, but very similar to the previous one. In this case, the regex is matching on a preceeding space or plus or equal sign, with an optional open parenthesis, then the text SELECT followed by any number of characters and then the text FROM. Therefore, all of the following phrases will cause the regex to be matched:
=SELECT PASSWORD FROM
(SELECT * FROM
Given that there are 7 sections to the regex, there are quite a few different possibilities for this regex. Again, all text is case insensitive. One thing to note here is the alternate form of matching for a space or a plus ([%]2[0bB]|[+]). This form is a bit longer than the previous way we saw in signature 5930, and matches not only on the literal plus (+), but also the URL encoded form of a plus (%2b or %2B) - which is actually 3 ASCII characters.
CLICK TO ENLARGE IMAGE
Device Specific Configurations
No specific configuration is required on IPS, as the regular expressions above are included in the signature set which is installed on the IPS. They are also enabled by default, so users are protected from these types of attacks.
In order to match the above two regular expressions on the ASA (so that it detects the exploit), we have to do a few things.
First, the regex for signature 5474 is 133 characters, but the ASA has a limit on the maximum length of a regular expression - and it is 101 characters. Therefore, for the ASA we will use the following regular expression pattern
What we changed was we removed the leading check for a space, plus or equal, and also removed the optional brackets around the % and + signs. By removing the leading check for the space, plus or equal, it reduces the fidelity of the signature and can result in more false negative conditions.
Second, as the POST method we are using to exploit the vulnerability is sent in the Body, we need to increase the depth of how many bytes the ASA will look into the body, before stopping. By default it is 2,000 bytes. But, our exploit is just after 2,000 bytes, so we are increasing it to 3,000 bytes under the parameters section.
One final important note. The ASA parser will treat any question mark (?) you try to enter as the user asking for help. Therefore, in order to enter a question mark (?) in the regex, you must first escap it by entering Control+V character sequence, then the question mark. The Control+V character will not appear on the screen.
! class-map WebServers match port tcp eq www class-map type inspect http match-any SQL-map match request body regex SQL_regex_1 match request body regex SQL_regex_2 !
policy-map type inspect http drop-SQL parameters body-match-maximum 3000 class SQL-map drop-connection log policy-map SQL-traffic class WebServers inspect http drop-SQL ! service-policy SQL-traffic interface outside
When HTTP traffic matches the above regex, the ASA will generate the following syslog message to let the administrator know that the packet was denied and the connection reset.
%ASA-4-507003: tcp flow from inside:192.168.1.5/53583 to outside:198.51.100.208/80 terminated by inspection engine, reason - disconnected, dropped packet.
To mitigate this attack using IOS, we're using the Zone-Based IOS Firewall to watch just HTTP traffic to our webserver and monitor for any matches on the regex below. In this case the router happened to be running IOS version 15.1(2)T2, image c2800nm-adventerprisek9-mz.151-2.T2.bin
parameter-map type regex SQL-injection-regex-first
Hello, When I recently became unable to print on my LAN, and I did some troubleshooting, I realized that 3 copies of the Anyconnect Socket Filter load automatically after each restart, without me having to run the Anyconnect app. It occurs...
Upon boot the LED indicator for WiFi on this ASA-5506W cycles through blinking green to blinking red. The documentation says it means "Ethernet link not operational". Since this is a hardware addon, I assume ethernet link is hard wired inside. To make sur...
I'm messing around in lab and trying to get the FTDv to do jumbo frames. According to the documentation its pretty simple but I've not had any luck. I set the MTU on the Interface to 9000 and FMC said it was enabling jumbo frames and to reboot...
Hi All, Can some advise on the design strategy for large scale deployment. We are trying to deploy a 28-30 node deployment with individual nodes in DC and DR and some dedicated local PSNs as VM in critical sites so that local user authenti...
Hello,I have a question regarding HA setup within a LAN, in a scenario where there are 2 main buildings. I'm curious as to how this would be best achieved through either configuration or from a design standpoint. I have attached an image showing the setup...