SQL Injection

the Cisco IPS Sensor is showing multiple SQL INJECTION alerts e.g Generic SQL Injection, SQL Query in HTTP Request.

problem is HOW i can Drill down and see which PC or APP in the Web Server is generating it.

in Attacker IP i got my PROXY Appliance IP
and in Victim IP i got some guy sitting in Korea.

any ideas
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
To know the web app attack, it shd surfaced from the http log and if proxy is L7 aware, it shd be able to see it. Also for traffic dump is ideal to sieve through the L7 info. Can try having dump out the collected log or use sniffer. See this


Normally if the proxy is also a web app firewall, the info you needed will be easily available. There is modsecurity for instance. The proxy log will show the http get and post or relevant xml based request that ids or ips maynot have the visibility since they are relying on pattern not contextual info to trigger alert
Rich RumbleSecurity SamuraiCommented:
Sounds like a false positive, and or one of your users machines has attacked someone in Korea (it's usually the other way around :) Cisco should be able to help you, have you contacted TAC?
osloboyAuthor Commented:
is CISCO TAC is same like ORACLE, where you can find KBs and other information
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Rich RumbleConnect With a Mentor Security SamuraiCommented:
If you pay for cisco gear, typically you pay for support and TAC is cisco's live support, you open a case and an engineer calls you or emails you. I don't use Cisco IPS so I might not be able to help much more.
osloboyAuthor Commented:
thanks a lot for the Light in the dark.

what Switches/Filters i should use in WireShark to get this task done

any specific

osloboyAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.