Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Generic SQL Injection

We occasionally get "5930 - Generic SQL Injection" alerts on our network.

Signature Details: "Union All? Select". Unfortunately I can't find a match for this string in attacker context. I have even looked at PIX logs which contains "x.x.x.x Accessed URL" for possible "Union All? select" as part of the URL but could not find any.

Could you please throw some light on how to determine if this is a genuine attack or not.

Secondly I have seen a lot of similar ones - "Aspirox Injection" alerts don't provide the URL in the attacker context. I need to go and fetch corresponding PIX log to figure out which URL was targetted by this attack.

Could you not capture the entire URL? This alert without URL context is meaningless.

5 REPLIES
Gold

Re: Generic SQL Injection

I assume you tried setting the detailed/verbose action on this signature. If you already have, try seting the action on signature 5930 to log the attacker packets and the victim packets. You should be able to follow what is happening once you review the capture logs.

New Member

Re: Generic SQL Injection

My research leads me to believe the SQL signatures are pretty accurate. If they fire, someone is trying to do a SQL injection. The real question is how does your database respond? As indicated earlier, capture the data stream but also look at your server and database logs. Has something change in your database?

New Member

Re: Generic SQL Injection

I have an attachment which contains the attacker context that trigered a "Generic SQL Injection" alert as well as corresponding PIX log. This is what i am talking about.

Re: Generic SQL Injection

The Generic SQL 'does' actually generates a lot of false positives. Currently its complaining about slide.com and its firing for our Network Admin (sittng right next to me). And I'm sure he is not trying to do a SQL injection Attack on slide.com (he does not even know what is SQL injection :).

Regards

Farrukh

Gold

Re: Generic SQL Injection

okay, first of all...you should know that the attacker context will not always have everything you need to make sense of an alarm. In your case it does. If you really want to research something, add one of the "log packets" actions. Here is the regex for that sig:

[uU][nN][iI][oO][nN](%20|\x2b)([aA][lL][lL](%20|\x2b))?[sS][eE][lL][eE][cC][tT]

This part of the regex

([aA][lL][lL](%20|\x2b))?

means that "ALL" is optional.

So, just "union-select" matches. Part of the URL in the provided context is "-union-select-221049.html". You can probably reproduce pretty easily by just entering a fake URL with union-select:

http://www.google.com/union-select

Yes, this is going to have false positives.

707
Views
0
Helpful
5
Replies
CreatePlease login to create content