Showing results for 
Search instead for 
Did you mean: 

TAC Security Podcast Episode #16 - Mitigating a SQL attack with ASA, IPS and IOS Firewall


Episode Information


Episode Name: Episode 16 - Mitigating a SQL attack with ASA, IPS and IOS Firewall

Contributors:  Blayne Dreier, Jay Johnston, Magnus Mortensen, David White

Posting Date: February 2, 2011

Description:  In this episode, the panel discusses SQL attacks against web servers, and how they are detected and mitigated by the IPS appliances.  In addition, the panel looks at how you can use the same signatures from the IPS and apply them as regex matches to the http inspection engines on both the ASA and IOS-Firewall.


Listen Now    (MP3 22.8 MB; 32:28 mins)


Subscribe to the Podcast


Subscribe to the Podcast in iTunes by clicking the image below:



Alternatively, you can search within iTunes for Cisco TAC Security Podcast, and subscribe there.  By subscribing, you will automatically receive future episodes when they are posted.



About the Cisco TAC Security Podcast


The Cisco TAC Security Podcast Series is created by Cisco TAC engineers. Each episode provides an in-depth technical discussion of Cisco product security features, with emphasis on troubleshooting.


Complete episode listing and show information


Show Notes


For the exploit used in the Podcast discussion, the following IPS signatures will detect the attack:


  • Generic SQL Injection - Signature ID=5930
  • SQL Query in HTTP Request - Signature ID=5474


Examining those signatures on the IPS, we can see the following Regular Expression (regex) patterns which are used to match against those signatures:


Generic SQL Injection - Signature ID=5930




The above regex pattern is really looking for the following text "UNION ALL SELECT" - where the "ALL" is optional.  It will also match on either a space or plus between words.  Therefore, all of the following phrases will cause the regex to be matched:





Also note that all of the text can be in any case, and that any space or plus can be either or.  Thus the following also matches:


UnIoN+AlL sElEcT


Since the regex can be a little confusing, we have broken it apart to indicate what each section of the regular expression is doing.




One thing to note is that the (%20|\x2b) piece matches on either the URL encoding of a space, or a plus (+) - represented as \x2b in ASCII hexidecmal notation.


SQL Query in HTTP Request - Signature ID=5474




This second regex is slightly more complicated, but very similar to the previous one.   In this case, the regex is matching on a preceeding space or plus or equal sign, with an optional open parenthesis, then the text SELECT followed by any number of characters and then the text FROM.  Therefore, all of the following phrases will cause the regex to be matched:







Given that there are 7 sections to the regex, there are quite a few different possibilities for this regex.  Again, all text is case insensitive.  One thing to note here is the alternate form of matching for a space or a plus ([%]2[0bB]|[+]).  This form is a bit longer than the previous way we saw in signature 5930, and matches not only on the literal plus (+), but also the URL encoded form of a plus (%2b or %2B) - which is actually 3 ASCII characters.







Device Specific Configurations



No specific configuration is required on IPS, as the regular expressions above are included in the signature set which is installed on the IPS.  They are also enabled by default, so users are protected from these types of attacks.


Signature definitions from


Signature 5930/0: Generic SQL Injection


Signature 5474/0: SQL Query in HTTP Request



In order to match the above two regular expressions on the ASA (so that it detects the exploit), we have to do a few things.


First, the regex for signature 5474 is 133 characters, but the ASA has a limit on the maximum length of a regular expression - and it is 101 characters.  Therefore, for the ASA we will use the following regular expression pattern




What we changed was we removed the leading check for a space, plus or equal, and also removed the optional brackets around the % and + signs.  By removing the leading check for the space, plus or equal, it reduces the fidelity of the signature and can result in more false negative conditions.


Second, as the POST method we are using to exploit the vulnerability is sent in the Body, we need to increase the depth of how many bytes the ASA will look into the body, before stopping.  By default it is 2,000 bytes.  But, our exploit is just after 2,000 bytes, so we are increasing it to 3,000 bytes under the parameters section.


One final important note.  The ASA parser will treat any question mark (?) you try to enter as the user asking for help.  Therefore, in order to enter a question mark (?) in the regex, you must first escap it by entering Control+V character sequence, then the question mark.  The Control+V character will not appear on the screen.



ASA Configuration


regex SQL_regex_1 "[uU][nN][iI][oO][nN]([%]2[0bB]|[+])([aA][lL][lL]([%]2[0bB]|[+]))?[sS][eE][lL][eE][cC][tT]"
regex SQL_regex_2 "[Ss][Ee][Ll][Ee][Cc][Tt](%2[0bB]|+)[^\r\x00-\x19\x7f-\xff]+(%2[0bB]|+)[Ff][Rr][Oo][Mm](%2[0bB]|+)"

class-map WebServers
match port tcp eq www
class-map type inspect http match-any SQL-map
match request body regex SQL_regex_1
match request body regex SQL_regex_2

policy-map type inspect http drop-SQL
  body-match-maximum 3000
class SQL-map
  drop-connection log
policy-map SQL-traffic
class WebServers
  inspect http drop-SQL
service-policy SQL-traffic interface outside





ASA Syslog

When HTTP traffic matches the above regex, the ASA will generate the following syslog message to let the administrator know that the packet was denied and the connection reset.


%ASA-4-507003: tcp flow from inside: to outside: terminated by inspection engine, reason - disconnected, dropped packet.




To mitigate this attack using IOS, we're using the Zone-Based IOS Firewall to watch just HTTP traffic to our webserver and monitor for any matches on the regex below. In this case the router happened to be running IOS version 15.1(2)T2, image c2800nm-adventerprisek9-mz.151-2.T2.bin

IOS Config


parameter-map type regex SQL-injection-regex-first

pattern [uU][nN][iI][oO][nN](%20|\x2b)([aA][lL][lL](%20|\x2b))?[sS][eE][lL][eE][cC][tT]    

parameter-map type regex SQL-injection-regex-second

pattern ([%]2[0bB]|[=]|[+])[(]?[Ss][Ee][Ll][Ee][Cc][Tt]([%]2[0bB]|[+])[^\r\x00-\x19\x7f-\xff]+([%]2[0bB]|[+])[Ff][Rr][Oo][Mm]([%]2[0bB]|[+])

class-map type inspect match-all http-traffic-class
match protocol http
match access-group name traffic-to-server
class-map type inspect http match-any SQL-injection-class
match  req-resp body regex SQL-injection-regex-first
match  req-resp body regex SQL-injection-regex-second
policy-map type inspect http SQL-injection-http-policy
class type inspect http SQL-injection-class
policy-map type inspect http-traffic-policy
class type inspect http-traffic-class
  service-policy http SQL-injection-http-policy
class class-default
zone security inside
zone security outside
zone-pair security in-out source inside destination outside
service-policy type inspect http-traffic-policy
interface GigabitEthernet0/0
ip address
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
interface GigabitEthernet0/1
ip address
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
ip access-list extended traffic-to-server
  permit tcp any host eq www
ip nat inside source list 5 interface GigabitEthernet0/1 overload
access-list 5 permit



IOS Syslog

When traffic matches the above HTTP inspection engine with the regex pattern, IOS will generate the following syslog message:


%APPFW-4-HTTP_BODY_REGEX_MATCHED: Body regex ([uU][nN][iI][oO][nN](%20|\x2b)([aA][lL][lL](%20|\x2b))?[sS][eE][) matched - resetting session on zone-pair in-out class http-traffic-class appl-class SQL-injection-class

SQL Injection attacks can be funny too!



Great show as per usually fellas. One Q - what the crack with the NAT on the IOS FW? There's no IPs for it.


Jay Johnston
Cisco Employee

Golly, I added the nat configuration as requested...good catch!


No worries. :-)

Not wanting to hijack your show, here's a IKEv2 VPN I created on a pair on ASA's earlier...

Jay Johnston
Cisco Employee

Thats a good configuration reference. Consider posting it in the VPN community here:

Content for Community-Ad