08-25-2008 12:42 PM - edited 03-10-2019 04:15 AM
I was reading some old posts that said signature -5930/5 "Generic SQL" is an old signature that has been re-released to include the "asprox" vulnerability.
#1) can someone tell me when this sig was first released and has this always been 5930?
#2) Been seeing between 250-750 5930/5 attacks being blocked by this sig. several times a day. If the sig was just added to my system not too long ago....does this mean that these attacks were not getting blocked before this?
Any help would be great. Thanks for your time.
08-25-2008 01:12 PM
1) I believe the 5930 sigs are new.
2) yes. It doesn't mean they were successful though.
08-25-2008 01:22 PM
So, could you say that 5930 sigs are new with the "asprox" injection sig wrapped up in it (6964-0)....asprox botnet.
08-25-2008 02:01 PM
I'm just saying that I don't believe they existed before. There are variations of the asprox worm, so they could be looking for different patterns (I believe 6964-0 is more specific than the 5930 sigs, hence the "generic" reference).
08-26-2008 04:57 AM
6964-0 is a more specific signature released to address the asprox worm, however as mhellman stated, there are variations of it.
5930-x is a suite of generic signatures created to catch sql injection attempts. Some initially release in s349 and the -6 subsignature released in s353. We'll add more as needed.
5930-5 will fire on the asprox worm (as would sig 6964-0) as well as many of its variations.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: