sql injection update signature

josephium · ‎09-17-2008

hi,

we are currently comparing cisco ips to tippingpoint, i have a cisco ips in front and tippingpoint in the back, so we are checking if cisco ips is missing on a lot of stuff , and currently it is missing on SQL injection attacks and cross scripting, which seems to be the weak point in cisco ips, its missing a lot on sql injection signatures, i mean why a simple update/set command does not have a signature ?

mhellman · ‎09-17-2008

Cisco just recently added some "generic SQL injection" signatures. Are you on the latest signature release? 5930-0 thru 5930-6 are the new ones. There is no update/set one though AFAICT. 5474-0 and 5474-1 are the only other signatures I'm aware of.

josephium · ‎09-18-2008

Thank you for your reply, do you know how to get in contact with the ips signature engineers at Cisco , i would like to share my comparaison with them as well as an attack that is passing all sql injection signature containing update but with u%pdate and the sql database is interpreting it as a normal update.

wsulym · ‎09-18-2008

Send us an email to ips-signature-team@cisco.com one of the signature developers will pick it up.