We occasionally get "5930 - Generic SQL Injection" alerts on our network.
Signature Details: "Union All? Select". Unfortunately I can't find a match for this string in attacker context. I have even looked at PIX logs which contains "x.x.x.x Accessed URL" for possible "Union All? select" as part of the URL but could not find any.
Could you please throw some light on how to determine if this is a genuine attack or not.
Secondly I have seen a lot of similar ones - "Aspirox Injection" alerts don't provide the URL in the attacker context. I need to go and fetch corresponding PIX log to figure out which URL was targetted by this attack.
Could you not capture the entire URL? This alert without URL context is meaningless.
I assume you tried setting the detailed/verbose action on this signature. If you already have, try seting the action on signature 5930 to log the attacker packets and the victim packets. You should be able to follow what is happening once you review the capture logs.
My research leads me to believe the SQL signatures are pretty accurate. If they fire, someone is trying to do a SQL injection. The real question is how does your database respond? As indicated earlier, capture the data stream but also look at your server and database logs. Has something change in your database?
The Generic SQL 'does' actually generates a lot of false positives. Currently its complaining about slide.com and its firing for our Network Admin (sittng right next to me). And I'm sure he is not trying to do a SQL injection Attack on slide.com (he does not even know what is SQL injection :).
okay, first of all...you should know that the attacker context will not always have everything you need to make sense of an alarm. In your case it does. If you really want to research something, add one of the "log packets" actions. Here is the regex for that sig:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :