Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Generic SQL sig 5930/5

I was reading some old posts that said signature -5930/5 "Generic SQL" is an old signature that has been re-released to include the "asprox" vulnerability.

#1) can someone tell me when this sig was first released and has this always been 5930?

#2) Been seeing between 250-750 5930/5 attacks being blocked by this sig. several times a day. If the sig was just added to my system not too long ago....does this mean that these attacks were not getting blocked before this?

Any help would be great. Thanks for your time.

4 REPLIES
Gold

Re: Generic SQL sig 5930/5

1) I believe the 5930 sigs are new.

2) yes. It doesn't mean they were successful though.

New Member

Re: Generic SQL sig 5930/5

So, could you say that 5930 sigs are new with the "asprox" injection sig wrapped up in it (6964-0)....asprox botnet.

Gold

Re: Generic SQL sig 5930/5

I'm just saying that I don't believe they existed before. There are variations of the asprox worm, so they could be looking for different patterns (I believe 6964-0 is more specific than the 5930 sigs, hence the "generic" reference).

Cisco Employee

Re: Generic SQL sig 5930/5

6964-0 is a more specific signature released to address the asprox worm, however as mhellman stated, there are variations of it.

5930-x is a suite of generic signatures created to catch sql injection attempts. Some initially release in s349 and the -6 subsignature released in s353. We'll add more as needed.

5930-5 will fire on the asprox worm (as would sig 6964-0) as well as many of its variations.

313
Views
0
Helpful
4
Replies
CreatePlease to create content