We occasionally get "5930 - Generic SQL Injection" alerts on our network.
Signature Details: "Union All? Select". Unfortunately I can't find a match for this string in attacker context. I have even looked at PIX logs which contains "x.x.x.x Accessed URL" for possible "Union All? select" as part of the URL but could not find any.
Could you please throw some light on how to determine if this is a genuine attack or not.
Secondly I have seen a lot of similar ones - "Aspirox Injection" alerts don't provide the URL in the attacker context. I need to go and fetch corresponding PIX log to figure out which URL was targetted by this attack.
Could you not capture the entire URL? This alert without URL context is meaningless.