agradmin
asked on
IPS SQL injection warnings
We are utilizing a Cisco IPS solution in our ASA 5525 firewall, and are seeing a string of periodic warning messages similar to below. All of the messages refer to user desktops connected to our internal network, and in each batch a single internal 'attacker' IP seemingly makes attempts in a number of external 'victim' IP's
We run TrendMicro Officescan throughout the network, which does not detect correlating malware etc.
Can anyone provide a reasonable explanation for these alerts? Can these be confirmed as false-positives?
event_id = 6823723977258
severity = high
device_name = 10.10.x.x
app_name = sensorApp
event_time = 11/04/2015 13:08:25
sig_id = 5930
subsig_id = 8
sig_name = Generic SQL Injection
sig_details = Drop Database Or Table
attacker_ip = 10.10.x.x
victim_ip = 173.194.123.34
victim_port = 0
victim_os = unknown unknown (relevant)
actions =
alert_details = InterfaceAttributes: context="single_vf" physical="Unknown" backplane="PortChannel0/0" ; Regular Summary: 3 events this interval ; risk_rating_num = 85(TVR=medium ARR=relevant) threat_rating = 85 reputation =
We run TrendMicro Officescan throughout the network, which does not detect correlating malware etc.
Can anyone provide a reasonable explanation for these alerts? Can these be confirmed as false-positives?
event_id = 6823723977258
severity = high
device_name = 10.10.x.x
app_name = sensorApp
event_time = 11/04/2015 13:08:25
sig_id = 5930
subsig_id = 8
sig_name = Generic SQL Injection
sig_details = Drop Database Or Table
attacker_ip = 10.10.x.x
victim_ip = 173.194.123.34
victim_port = 0
victim_os = unknown unknown (relevant)
actions =
alert_details = InterfaceAttributes: context="single_vf" physical="Unknown" backplane="PortChannel0/0"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
thanks for sharing, indeed a benign triggers then. in fact you can consider customizing the signature for exception by creating Event Action Rule subtracting blocking actions - like this case for another folk.
More info on the event action filter @ http://blog.globalknowledge.com/technology/security/understanding-event-action-filters/
And bingo:) it was Google Analytics. So it was perfectly legitimate traffic since server from my customer updated some web statistics to Google Analytics and my IPS found SQL 'union select' statements in HTTP requests. I immediately created Event Action Rule subtracting blocking actions for such signature if "malicious" traffic flows from inside to outside. Now my IPS shall not disturb Google Analytics but it will prevent some SQL injection attacks against my Internet facing web applications.http://packetwarrior.blogspot.sg/2010/07/how-to-tune-cisco-aip-ssm-ips-module.html
More info on the event action filter @ http://blog.globalknowledge.com/technology/security/understanding-event-action-filters/
ASKER
Digging deep enough into the IPS logs brought me to information that helped explain the alerts. I will be testing further to see what process is triggering the alert.
You probably has to check if there is any dealing with Google services such as using online google online services - be it the office suite, dns servers or even there analytic api for internal systems...if those batch of systems are not only server but include client machine, it may be some common services in the Enterprise recently subscribed.. Good to grab the commonality for those freq batch and group of source system. Does not really make sense if there is no relation or dealing with Google inc at all... have the infra and network folks to check any upgrade on the IPS recently or changes in patch rollout at Enterprise wide too. Probably has to look into the FW log as well...