Generic SQL Injection in HTTP Request

Unanswered Question
Sep 1st, 2010
User Badges:

  So our project allows Facebook interaction.  Mars sends out this  Incident Event type every time someone attaches to Facebook.  Is this something I can just False Positive out or should I be concerned about it?  What is Facebook sending back to our network so we get this message on Mars?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jia Liu Wed, 09/01/2010 - 16:56
User Badges:
  • Cisco Employee,

Which device is sending this alert to MARS?  If it's an IPS sensor, check the description of the signature to see what kind of behavior will trigger the alert.  To see what Facebook is sending back to your network, you can do a sniffer trace and analyze the packets.

avanzaadmin Thu, 09/02/2010 - 01:08
User Badges:

I get numerous alerts from our IDSMs and have mitigated this by

1: not allowing the IDSMs to block our outgoing traffic at all. Not worth the risk causing major outage.

2: created av drop in MARS that drops all SQL Injections destined for the Facebook subnets. (69.63.176.1-69.63.183.254,  66.220.144.1-66.220.159.255)


Regards

Fredrik

Actions

This Discussion