WAF 341245

From Atomicorp Wiki
Revision as of 16:04, 15 February 2017 by Mshinn (Talk | contribs)

Jump to: navigation, search
Rule 341245
Status Active
Alert Message Atomicorp.com WAF Rules: Possible SQL injection attack (detectSQLi)

Contents

Description

This rule detects Possible SQL injection attacks. It does this by looking for either SQL commands, or strange combinations of metacharacters that SQL servers will interperate as comments, delimiters that attackers may use to obfuscate SQL injection attacks. This rule uses an external library to analyze the content. If you have a false positive with this rule, please report it to us.

finger prints

This rule looks for fingerprints in the input that may be SQL, and presents the fingerprint as a series of letters and symbols that describe the fingerprints found. The algorith will report possible SQL injection attacks based on a series of fingerprints, or in some very specific cases on a single fingerprint depending on the degree to which that fingerprint demonstrates a possible SQL injection or a set of finger prints is necessary to arrive at this conclusion. In general the algortim is combining fingerprints to determine if a type may be a SQLi attack.


The following is a list of the fingerprints types. Each fingerprint may have hundreds of sub-types to capture all the possible permutations, for example the keyword type has hundreds of known SQL commands as part of its type:


  • U = UNION
  • G = GROUP
  • E = EXPRESSION
  • t = sql type statement
  • f = function (input looks like a possible function, for example execute(some command))
  • n = bare word (a bare word was detected, when combined with other signatures this may identify a series of SQL commands)
  • 1 = numbers
  • v = variable
  • s = string
  • o = operator (AND, OR, NOT, etc.)
  • & = logic operator
  • c = comment (comment characters such as /*, -- and others)
  • A = COLLATE
  • ( = left parenthesis
  • ) = right parenthesis
  • { = left brace
  • } = right brace
  • . = dot
  • , = comma
  •  : = colon
  •  ; = semicolon
  • T = TSQL START
  • X = could not parse and aborted
  • \ = backslash
  • k = keyword (known SQL statements, such as SMALLDATETIMEFROMPARTS, SQL_BUFFER_RESULT, IS_SRVROLEMEMBER, etc)

Examples

The alert may look like this:


[Tue Feb 14 10:06:52 2017] [error] [client 1.2.3.4] ModSecurity: [file "/etc/httpd/modsecurity.d/11_asl_adv_rules.conf"] [line "82"] [id "341245"] [rev "28"] [msg "Atomicorp.com WAF Rules: Possible SQL injection attack (detectSQLi)"] [data "nf(n),ARGS:somevariable"] [severity "CRITICAL"] Access denied with code 403 (phase 2). detected SQLi using libinjection with fingerprint 'nf(n)' [hostname "example.com"] [uri "/some/url"] [unique_id "WKJmPApYHEUAAAti9GAAAAAN"]

In this example, the finger print is "nf(n)". Which represents a series of fingerprints that when combined are flagged as possible SQL commands or other potentially hazardous or malicious content. Using the table below, this signature means:

A bareword, combined with a function followed by a bareword inside parathesis was found in the argument "somevariable". For example:

somevariable=select group(users)

Troubleshooting

False Positives

If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Tuning Guidance

If you want to disable or tune this rule, please see the Tuning the Atomicorp WAF Rules page for basic information.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes

None.

Personal tools