Generic SQL Injection

Unanswered Question
Sep 9th, 2008
User Badges:

We occasionally get "5930 - Generic SQL Injection" alerts on our network.

Signature Details: "Union All? Select". Unfortunately I can't find a match for this string in attacker context. I have even looked at PIX logs which contains "x.x.x.x Accessed URL" for possible "Union All? select" as part of the URL but could not find any.


Could you please throw some light on how to determine if this is a genuine attack or not.


Secondly I have seen a lot of similar ones - "Aspirox Injection" alerts don't provide the URL in the attacker context. I need to go and fetch corresponding PIX log to figure out which URL was targetted by this attack.


Could you not capture the entire URL? This alert without URL context is meaningless.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Tue, 09/09/2008 - 14:09
User Badges:
  • Gold, 750 points or more

I assume you tried setting the detailed/verbose action on this signature. If you already have, try seting the action on signature 5930 to log the attacker packets and the victim packets. You should be able to follow what is happening once you review the capture logs.


rmeans Wed, 09/10/2008 - 04:51
User Badges:

My research leads me to believe the SQL signatures are pretty accurate. If they fire, someone is trying to do a SQL injection. The real question is how does your database respond? As indicated earlier, capture the data stream but also look at your server and database logs. Has something change in your database?

Farrukh Haroon Sat, 09/13/2008 - 00:29
User Badges:
  • Red, 2250 points or more

The Generic SQL 'does' actually generates a lot of false positives. Currently its complaining about slide.com and its firing for our Network Admin (sittng right next to me). And I'm sure he is not trying to do a SQL injection Attack on slide.com (he does not even know what is SQL injection :).


Regards


Farrukh

mhellman Tue, 09/16/2008 - 09:23
User Badges:
  • Blue, 1500 points or more

okay, first of all...you should know that the attacker context will not always have everything you need to make sense of an alarm. In your case it does. If you really want to research something, add one of the "log packets" actions. Here is the regex for that sig:


[uU][nN][iI][oO][nN](%20|\x2b)([aA][lL][lL](%20|\x2b))?[sS][eE][lL][eE][cC][tT]


This part of the regex

([aA][lL][lL](%20|\x2b))?

means that "ALL" is optional.



So, just "union-select" matches. Part of the URL in the provided context is "-union-select-221049.html". You can probably reproduce pretty easily by just entering a fake URL with union-select:


http://www.google.com/union-select


Yes, this is going to have false positives.

Actions

This Discussion