Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

TAC Security Podcast Episode #16 - Mitigating a SQL attack with ASA, IPS and IOS Firewall

Episode Information

 

Episode Name: Episode 16 - Mitigating a SQL attack with ASA, IPS and IOS Firewall

Contributors:  Blayne Dreier, Jay Johnston, Magnus Mortensen, David White

Posting Date: February 2, 2011

Description:  In this episode, the panel discusses SQL attacks against web servers, and how they are detected and mitigated by the IPS appliances.  In addition, the panel looks at how you can use the same signatures from the IPS and apply them as regex matches to the http inspection engines on both the ASA and IOS-Firewall.

 


Listen Now    (MP3 22.8 MB; 32:28 mins)

 

Subscribe to the Podcast

 

Subscribe to the Podcast in iTunes by clicking the image below:

button_itunes.gifrss.gif

 

Alternatively, you can search within iTunes for Cisco TAC Security Podcast, and subscribe there.  By subscribing, you will automatically receive future episodes when they are posted.

 

 

About the Cisco TAC Security Podcast

 

The Cisco TAC Security Podcast Series is created by Cisco TAC engineers. Each episode provides an in-depth technical discussion of Cisco product security features, with emphasis on troubleshooting.

 

Complete episode listing and show information

 

Show Notes

 

For the exploit used in the Podcast discussion, the following IPS signatures will detect the attack:

 

  • Generic SQL Injection - Signature ID=5930
  • SQL Query in HTTP Request - Signature ID=5474

 

Examining those signatures on the IPS, we can see the following Regular Expression (regex) patterns which are used to match against those signatures:

 

Generic SQL Injection - Signature ID=5930

Regex

[uU][nN][iI][oO][nN](%20|\x2b)([aA][lL][lL](%20|\x2b))?[sS][eE][lL][eE][cC][tT]

 

The above regex pattern is really looking for the following text "UNION ALL SELECT" - where the "ALL" is optional.  It will also match on either a space or plus between words.  Therefore, all of the following phrases will cause the regex to be matched:

 

UNION ALL SELECT

UNION SELECT
UNION+ALL+SELECT
UNION+SELECT

 

Also note that all of the text can be in any case, and that any space or plus can be either or.  Thus the following also matches:

 

UnIoN+AlL sElEcT

 

Since the regex can be a little confusing, we have broken it apart to indicate what each section of the regular expression is doing.

 

Episode_16_Regex_B.jpg

 

One thing to note is that the (%20|\x2b) piece matches on either the URL encoding of a space, or a plus (+) - represented as \x2b in ASCII hexidecmal notation.

 

SQL Query in HTTP Request - Signature ID=5474

Regex

([%]2[0bB]|[=]|[+])[(]?[Ss][Ee][Ll][Ee][Cc][Tt]([%]2[0bB]|[+])[^\r\x00-\x19\x7f-\xff]+([%]2[0bB]|[+])[Ff][Rr][Oo][Mm]([%]2[0bB]|[+])

 

This second regex is slightly more complicated, but very similar to the previous one.   In this case, the regex is matching on a preceeding space or plus or equal sign, with an optional open parenthesis, then the text SELECT followed by any number of characters and then the text FROM.  Therefore, all of the following phrases will cause the regex to be matched:

 

+(SELECT+DATA+FROM+

=SELECT PASSWORD FROM

(SELECT * FROM

+(SELECT+*+FROM+

 

Given that there are 7 sections to the regex, there are quite a few different possibilities for this regex.  Again, all text is case insensitive.  One thing to note here is the alternate form of matching for a space or a plus ([%]2[0bB]|[+]).  This form is a bit longer than the previous way we saw in signature 5930, and matches not only on the literal plus (+), but also the URL encoded form of a plus (%2b or %2B) - which is actually 3 ASCII characters.

 

 

   CLICK TO ENLARGE IMAGE

Episode_16_Regex.jpg

 

 

Device Specific Configurations

 

IPS

No specific configuration is required on IPS, as the regular expressions above are included in the signature set which is installed on the IPS.  They are also enabled by default, so users are protected from these types of attacks.

 

Signature definitions from http://www.cisco.com/security

 

Signature 5930/0: Generic SQL Injection

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=5930&signatureSubId=0&softwareVersion=6.0&releaseVersion=S360

 

Signature 5474/0: SQL Query in HTTP Request

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=5474&signatureSubId=0&softwareVersion=6.0&releaseVersion=S368

ASA

 

In order to match the above two regular expressions on the ASA (so that it detects the exploit), we have to do a few things.

 

First, the regex for signature 5474 is 133 characters, but the ASA has a limit on the maximum length of a regular expression - and it is 101 characters.  Therefore, for the ASA we will use the following regular expression pattern

 

[Ss][Ee][Ll][Ee][Cc][Tt](%2[0bB]|+)[^\r\x00-\x19\x7f-\xff]+(%2[0bB]|+)[Ff][Rr][Oo][Mm](%2[0bB]|+)

 

What we changed was we removed the leading check for a space, plus or equal, and also removed the optional brackets around the % and + signs.  By removing the leading check for the space, plus or equal, it reduces the fidelity of the signature and can result in more false negative conditions.

 

Second, as the POST method we are using to exploit the vulnerability is sent in the Body, we need to increase the depth of how many bytes the ASA will look into the body, before stopping.  By default it is 2,000 bytes.  But, our exploit is just after 2,000 bytes, so we are increasing it to 3,000 bytes under the parameters section.

 

One final important note.  The ASA parser will treat any question mark (?) you try to enter as the user asking for help.  Therefore, in order to enter a question mark (?) in the regex, you must first escap it by entering Control+V character sequence, then the question mark.  The Control+V character will not appear on the screen.

 

 

ASA Configuration

 

regex SQL_regex_1 "[uU][nN][iI][oO][nN]([%]2[0bB]|[+])([aA][lL][lL]([%]2[0bB]|[+]))?[sS][eE][lL][eE][cC][tT]"
regex SQL_regex_2 "[Ss][Ee][Ll][Ee][Cc][Tt](%2[0bB]|+)[^\r\x00-\x19\x7f-\xff]+(%2[0bB]|+)[Ff][Rr][Oo][Mm](%2[0bB]|+)"

!
class-map WebServers
match port tcp eq www
class-map type inspect http match-any SQL-map
match request body regex SQL_regex_1
match request body regex SQL_regex_2
!

policy-map type inspect http drop-SQL
parameters
  body-match-maximum 3000
class SQL-map
  drop-connection log
policy-map SQL-traffic
class WebServers
  inspect http drop-SQL
!
service-policy SQL-traffic interface outside

 

 

 

 

ASA Syslog

When HTTP traffic matches the above regex, the ASA will generate the following syslog message to let the administrator know that the packet was denied and the connection reset.

 

%ASA-4-507003: tcp flow from inside:192.168.1.5/53583 to outside:198.51.100.208/80 terminated by inspection engine, reason - disconnected, dropped packet.

 

 

IOS

To mitigate this attack using IOS, we're using the Zone-Based IOS Firewall to watch just HTTP traffic to our webserver and monitor for any matches on the regex below. In this case the router happened to be running IOS version 15.1(2)T2, image c2800nm-adventerprisek9-mz.151-2.T2.bin

IOS Config

!

parameter-map type regex SQL-injection-regex-first

pattern [uU][nN][iI][oO][nN](%20|\x2b)([aA][lL][lL](%20|\x2b))?[sS][eE][lL][eE][cC][tT]    

parameter-map type regex SQL-injection-regex-second

pattern ([%]2[0bB]|[=]|[+])[(]?[Ss][Ee][Ll][Ee][Cc][Tt]([%]2[0bB]|[+])[^\r\x00-\x19\x7f-\xff]+([%]2[0bB]|[+])[Ff][Rr][Oo][Mm]([%]2[0bB]|[+])

!
!
class-map type inspect match-all http-traffic-class
match protocol http
match access-group name traffic-to-server
 
class-map type inspect http match-any SQL-injection-class
match  req-resp body regex SQL-injection-regex-first
match  req-resp body regex SQL-injection-regex-second
!
!
policy-map type inspect http SQL-injection-http-policy
class type inspect http SQL-injection-class
  log
  reset
policy-map type inspect http-traffic-policy
class type inspect http-traffic-class
  inspect
  service-policy http SQL-injection-http-policy
class class-default
  pass
!
zone security inside
zone security outside
zone-pair security in-out source inside destination outside
service-policy type inspect http-traffic-policy
!
interface GigabitEthernet0/0
ip address 10.32.223.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.13.2 255.255.0.0
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
ip access-list extended traffic-to-server
  permit tcp any host 198.51.100.208 eq www
!
!
ip nat inside source list 5 interface GigabitEthernet0/1 overload
!
access-list 5 permit 192.168.13.0 0.255.255.255
!

 

 
 
 

IOS Syslog

When traffic matches the above HTTP inspection engine with the regex pattern, IOS will generate the following syslog message:
 
 

 

 
%APPFW-4-HTTP_BODY_REGEX_MATCHED: Body regex ([uU][nN][iI][oO][nN](%20|\x2b)([aA][lL][lL](%20|\x2b))?[sS][eE][) matched - resetting session 10.32.223.2:64767 198.51.100.208:80 on zone-pair in-out class http-traffic-class appl-class SQL-injection-class
 

SQL Injection attacks can be funny too!

 

http://i.imgur.com/jWTXq.jpg
http://xkcd.com/327/

 

 
 
Version history
Revision #:
2 of 2
Last update:
‎09-25-2017 06:35 AM
Updated by:
 
Labels (1)
Contributors
Comments
New Member

Great show as per usually fellas. One Q - what the crack with the NAT on the IOS FW? There's no IPs for it.

cheers

Cisco Employee

Golly, I added the nat configuration as requested...good catch!

New Member

No worries. :-)

Not wanting to hijack your show, here's a IKEv2 VPN I created on a pair on ASA's earlier...

http://www.it-book.co.uk/814/ike-version-2-site-to-site-vpn-using-psk

Cisco Employee

Thats a good configuration reference. Consider posting it in the VPN community here: https://supportforums.cisco.com/community/netpro/security/vpn?view=documents