Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1264
Views
0
Helpful
5
Replies

Generic SQL Injection

ilango_allikuzhi
Level 1
Level 1

‎09-09-2008 01:50 PM - edited ‎03-10-2019 04:17 AM

We occasionally get "5930 - Generic SQL Injection" alerts on our network.

Signature Details: "Union All? Select". Unfortunately I can't find a match for this string in attacker context. I have even looked at PIX logs which contains "x.x.x.x Accessed URL" for possible "Union All? select" as part of the URL but could not find any.

Could you please throw some light on how to determine if this is a genuine attack or not.

Secondly I have seen a lot of similar ones - "Aspirox Injection" alerts don't provide the URL in the attacker context. I need to go and fetch corresponding PIX log to figure out which URL was targetted by this attack.

Could you not capture the entire URL? This alert without URL context is meaningless.

Labels:
0 Helpful
5 Replies 5

rhermes
Level 7
Level 7

‎09-09-2008 02:09 PM

I assume you tried setting the detailed/verbose action on this signature. If you already have, try seting the action on signature 5930 to log the attacker packets and the victim packets. You should be able to follow what is happening once you review the capture logs.

0 Helpful

rmeans
Level 3
Level 3
In response to rhermes

‎09-10-2008 04:51 AM

My research leads me to believe the SQL signatures are pretty accurate. If they fire, someone is trying to do a SQL injection. The real question is how does your database respond? As indicated earlier, capture the data stream but also look at your server and database logs. Has something change in your database?

0 Helpful

ilango_allikuzhi
Level 1
Level 1
In response to rmeans

‎09-10-2008 10:41 AM

I have an attachment which contains the attacker context that trigered a "Generic SQL Injection" alert as well as corresponding PIX log. This is what i am talking about.

Preview file
5 KB
0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to ilango_allikuzhi

‎09-13-2008 12:29 AM

The Generic SQL 'does' actually generates a lot of false positives. Currently its complaining about slide.com and its firing for our Network Admin (sittng right next to me). And I'm sure he is not trying to do a SQL injection Attack on slide.com (he does not even know what is SQL injection :).

Regards

Farrukh

0 Helpful

mhellman
Level 7
Level 7
In response to ilango_allikuzhi

‎09-16-2008 09:23 AM

okay, first of all...you should know that the attacker context will not always have everything you need to make sense of an alarm. In your case it does. If you really want to research something, add one of the "log packets" actions. Here is the regex for that sig:

[uU][nN][iI][oO][nN](%20|\x2b)([aA][lL][lL](%20|\x2b))?[sS][eE][lL][eE][cC][tT]

This part of the regex

([aA][lL][lL](%20|\x2b))?

means that "ALL" is optional.

So, just "union-select" matches. Part of the URL in the provided context is "-union-select-221049.html". You can probably reproduce pretty easily by just entering a fake URL with union-select:

http://www.google.com/union-select

Yes, this is going to have false positives.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card