Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1189
Views
18
Helpful
11
Replies

SQL injection recon detection

mhellman
Level 7
Level 7

‎07-07-2008 06:39 AM - edited ‎03-10-2019 04:11 AM

Why are there no vendor provided signatures that detect SQL injection reconnaissance? I recently did an internal pen test and it reminded me again of this deficiency. I've been meaning to write my own for the longest time, but frankly...why should I need to? It is simply amazing to me that I can throw standard SQL injection tests at a web app and our network IDS is "blind" to them.

http://ha.ckers.org/sqlinjection/

Labels:
0 Helpful
11 Replies 11

attmidsteam
Level 1
Level 1

‎07-07-2008 11:04 AM

Join the club. :-) I got fed up too and am writing all my own for detecting excessive SELECTs, INSERTs/UPDATEs/DELETEs etc but with obfuscation the task becomes very difficult. This really needs to happen within the http-server engine but I'm using multi-string because I wanted a list of keywords in a certain order.

See also: http://isc.sans.org/diary.html?storyid=4565

TradeSecrets
Level 1
Level 1

‎07-11-2008 06:50 AM

Hi there,

The days of IDS are coming to an end. I know IPS is expensive, but they are well worth the price.

Below are a few SQL signatures you can add to a SNORT IDS or some other IDS.

|90909090|

|04010101010101|

--'|22|'

Let me know if that helps.

~TS

attmidsteam
Level 1
Level 1
In response to TradeSecrets

‎07-11-2008 06:57 AM

All I saw posted were 3 small strings which WOULD not protect against SQL injections, sorry (and would trigger some massive false positives).

An IPS is the same thing as an IDS but with the 'magic' buzzword of being inline. The same pattern based technology is still being utilized.

mhellman
Level 7
Level 7
In response to attmidsteam

‎07-11-2008 07:05 AM

agreed. In the vast majority of cases, IDS isn't "good enough" to be IPS. For me, IPS is policy/security enforcement and belongs on a firewall. IDS is policy/security monitoring, which doesn't necessarily need to be inline.

back to the topic...I'm not really looking at detecting/preventing [insert flavor of the day] SQL injection worm. I'm looking at detecting a user using the typical patterns used to test for SQL vulnerabilities. They will almost certainly be easy to evade, but we do what we can.

mzeiser
Cisco Employee
Cisco Employee
In response to mhellman

‎07-11-2008 07:23 AM

We're working on improved coverage for SQL injection attacks.

Martin

IPS Signature Team

0 Helpful

mhellman
Level 7
Level 7
In response to mzeiser

‎07-11-2008 07:31 AM

That would be awesome. Do you mean, "we're thinking about it" or, "we're sorting out the proper engines and regex's to use now"?? ;-)

mzeiser
Cisco Employee
Cisco Employee
In response to mhellman

‎07-11-2008 07:40 AM

It means "We're sorting out the proper engines and regex's to use".

SQL injection is quite a problem to catch though, as you basically hand something like source code to an interpreter, which means an attack can be encoded and vary in a thousand different ways. As we do try to create intelligent signatures, instead of simply hunting for fixed and most often easily change strings in a stream, this makes writing signatures for sql injection attacks kind of hard.

0 Helpful

TradeSecrets
Level 1
Level 1
In response to attmidsteam

‎07-11-2008 07:35 AM

Don't be sorry. It doesn't sound like you have a clue what you are taking about anyways. These signatures were pulled from a leading IPS vendors device. Just so you know IPS and IDS are not the same thing. Can I take your star away...

oH whoops.

0 Helpful

mhellman
Level 7
Level 7
In response to TradeSecrets

‎07-11-2008 07:46 AM

Let's not get into a squabble about IDS versus IPS, they're market driven terms that mean different things to different people.

You don't provide any context for the regex you provided. What is it specifically designed to detect/protect? It looks like Snort regex, is it? Why not post the whole rule to give some context? I need more than just a regex to create a useful signature.

attmidsteam
Level 1
Level 1
In response to TradeSecrets

‎07-11-2008 08:42 AM

TradeSecrets:

Please provide the full signature so we can discuss it.

christianz
Level 1
Level 1

‎07-16-2008 06:59 AM

I agree in the sense that the SQL Signature set of ASA IPS is a bit poor. If it can help someone, I've wrote my oun signature in order to catch an attacker. It's working fine, and I think that is easy to modify.

-------------------

signatures 60000 0

alert-severity medium

sig-fidelity-rating 75

sig-description

sig-name CHZ SQL Injection

sig-string-info CHZ SQL Injection

sig-comment SQL Injection written by CHZ

exit

engine string-tcp

event-action produce-alert|deny-packet-inline|reset-tcp-connection

regex-string ([Dd][Ee][Cc][Ll][Aa][Rr][Ee])\%20\@.\%20([Vv][Aa][Rr][Cc][Hh][Aa][Rr])(.*);([Ss][Ee][Tt])\%20\@.=([Cc][Aa][Ss][Tt])

service-ports #WEBPORTS

exit

alert-frequency

summary-mode summarize

exit

exit

status

enabled true

exit

specify-mars-category yes

mars-category DoS/WebServer

exit

exit

-------------------

Best Regards

Chz

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card