IPS SQL injection warnings

We are utilizing a Cisco IPS solution in our ASA 5525 firewall, and are seeing a string of periodic warning messages similar to below. All of the messages refer to user desktops connected to our internal network, and in each batch a single internal 'attacker' IP seemingly makes attempts in a number of external 'victim' IP's

We run TrendMicro Officescan throughout the network, which does not detect correlating malware etc.

Can anyone provide a reasonable explanation for these alerts?  Can these be confirmed as false-positives?


event_id = 6823723977258
severity = high
device_name = 10.10.x.x
app_name = sensorApp
event_time = 11/04/2015 13:08:25
sig_id = 5930
subsig_id = 8
sig_name = Generic SQL Injection
sig_details = Drop Database Or Table
attacker_ip = 10.10.x.x
victim_ip = 173.194.123.34
victim_port = 0
victim_os = unknown unknown (relevant)
actions =
alert_details = InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="PortChannel0/0" ; Regular Summary: 3 events this interval ; risk_rating_num = 85(TVR=medium ARR=relevant) threat_rating = 85 reputation =
LVL 1
agradminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
The victim of 173.194.123.34 is leading to Google Inc and in this case, based from signature the possibility for false positive or benign trigger does not exist - meaning there is indeed deliberate attempts to exploit SQL injection using those mentioned "Drop" command in HTTP arguments. Such commands "remove" the database, in short wipe out the data.

You probably has to check if there is any dealing with Google services such as using online google online services - be it the office suite, dns servers or even there analytic api for internal systems...if those batch of systems are not only server but include client machine, it may be some common services in the Enterprise recently subscribed.. Good to grab the commonality for those freq batch and group of source system. Does not really make sense if there is no relation or dealing with Google inc at all... have the infra and network folks to check any upgrade on the IPS recently or changes in patch  rollout at Enterprise wide too. Probably has to look into the FW log as well...
1
agradminAuthor Commented:
Problem solved!
After rooting through the IPS logs I found entries that supplied greater detail. It looks like the IPS was picking up on a browser connection to a product sold by our company (Teardrop Tabletop Terrarium) and extrapolating the 'drop table' reading it as a SQL injection attempt.

Following is a portion of the IPS log indicating the suspect request;
0000D0  59 26 74 69 74 6C 65 3D  47 6C 61 73 73 25 32 30  Y&title=Glass%20
0000E0  54 65 72 72 61 72 69 75  6D 25 32 30 2D 25 32 30  Terrarium%20-%20
0000F0  54 65 61 72 64 72 6F 70  25 32 30 54 61 62 6C 65  Teardrop%20Table

So this does turn out to be a false positive after all - thanks for the help in any case.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
thanks for sharing, indeed a benign triggers then. in fact you can consider customizing the signature for exception by creating Event Action Rule subtracting blocking actions - like this case for another folk.
And bingo:) it was Google Analytics. So it was perfectly legitimate traffic since server from my customer updated some web statistics to Google Analytics and my IPS found SQL 'union select' statements in HTTP requests. I immediately created Event Action Rule subtracting blocking actions for such signature if "malicious" traffic flows from inside to outside. Now my IPS shall not disturb Google Analytics but it will prevent some SQL injection attacks against my Internet facing web applications.
http://packetwarrior.blogspot.sg/2010/07/how-to-tune-cisco-aip-ssm-ips-module.html
More info on the event action filter @ http://blog.globalknowledge.com/technology/security/understanding-event-action-filters/
0
agradminAuthor Commented:
Digging deep enough into the IPS logs brought me to information that helped explain the alerts. I will be testing further to see what process is triggering the alert.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.