SQL Injection

Posted on 2011-10-24
Last Modified: 2013-11-29
the Cisco IPS Sensor is showing multiple SQL INJECTION alerts e.g Generic SQL Injection, SQL Query in HTTP Request.

problem is HOW i can Drill down and see which PC or APP in the Web Server is generating it.

in Attacker IP i got my PROXY Appliance IP
and in Victim IP i got some guy sitting in Korea.

any ideas
Question by:osloboy
    LVL 38

    Expert Comment

    by:Rich Rumble
    Sounds like a false positive, and or one of your users machines has attacked someone in Korea (it's usually the other way around :) Cisco should be able to help you, have you contacted TAC?

    Author Comment

    is CISCO TAC is same like ORACLE, where you can find KBs and other information
    LVL 38

    Assisted Solution

    by:Rich Rumble
    If you pay for cisco gear, typically you pay for support and TAC is cisco's live support, you open a case and an engineer calls you or emails you. I don't use Cisco IPS so I might not be able to help much more.
    LVL 60

    Accepted Solution

    To know the web app attack, it shd surfaced from the http log and if proxy is L7 aware, it shd be able to see it. Also for traffic dump is ideal to sieve through the L7 info. Can try having dump out the collected log or use sniffer. See this

    Normally if the proxy is also a web app firewall, the info you needed will be easily available. There is modsecurity for instance. The proxy log will show the http get and post or relevant xml based request that ids or ips maynot have the visibility since they are relying on pattern not contextual info to trigger alert

    Author Comment

    thanks a lot for the Light in the dark.

    what Switches/Filters i should use in WireShark to get this task done

    any specific


    Author Closing Comment


    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now