Re: Generic SQL sig 5930/5

shiznitide · ‎08-25-2008

I was reading some old posts that said signature -5930/5 "Generic SQL" is an old signature that has been re-released to include the "asprox" vulnerability.

#1) can someone tell me when this sig was first released and has this always been 5930?

#2) Been seeing between 250-750 5930/5 attacks being blocked by this sig. several times a day. If the sig was just added to my system not too long ago....does this mean that these attacks were not getting blocked before this?

Any help would be great. Thanks for your time.

mhellman · ‎08-25-2008

1) I believe the 5930 sigs are new.

2) yes. It doesn't mean they were successful though.

shiznitide · ‎08-25-2008

So, could you say that 5930 sigs are new with the "asprox" injection sig wrapped up in it (6964-0)....asprox botnet.

mhellman · ‎08-25-2008

I'm just saying that I don't believe they existed before. There are variations of the asprox worm, so they could be looking for different patterns (I believe 6964-0 is more specific than the 5930 sigs, hence the "generic" reference).

wsulym · ‎08-26-2008

6964-0 is a more specific signature released to address the asprox worm, however as mhellman stated, there are variations of it.

5930-x is a suite of generic signatures created to catch sql injection attempts. Some initially release in s349 and the -6 subsignature released in s353. We'll add more as needed.

5930-5 will fire on the asprox worm (as would sig 6964-0) as well as many of its variations.