WAF 341245

From Atomicorp Wiki
Revision as of 16:07, 15 February 2017 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Rule 341245
Status Active
Alert Message Atomicorp.com WAF Rules: Possible SQL injection attack (detectSQLi)

Contents

[edit] Description

This rule detects Possible SQL injection attacks. It does this by looking for either SQL commands, or strange combinations of metacharacters that SQL servers will interperate as comments, delimiters that attackers may use to obfuscate SQL injection attacks. This rule uses an external library to analyze the content. If you have a false positive with this rule, please report it to us.

[edit] finger prints

This rule looks for fingerprints in the input that may be SQL, and presents the fingerprint as a series of letters and symbols that describe the fingerprints found. The algorith will report possible SQL injection attacks based on a series of fingerprints, or in some very specific cases on a single fingerprint depending on the degree to which that fingerprint demonstrates a possible SQL injection or a set of finger prints is necessary to arrive at this conclusion. In general the algortim is combining fingerprints to determine if a type may be a SQLi attack.


The following is a list of the fingerprints types. Each fingerprint may have hundreds of sub-types to capture all the possible permutations, for example the keyword type has hundreds of known SQL commands as part of its type:


  • U = UNION
  • G = GROUP
  • E = EXPRESSION
  • t = sql type statement
  • f = function (input looks like a possible function, for example execute(some command))
  • n = bare word (a bare word was detected, when combined with other signatures this may identify a series of SQL commands)
  • 1 = numbers
  • v = variable
  • s = string
  • o = operator (AND, OR, NOT, etc.)
  • & = logic operator
  • c = comment (comment characters such as /*, -- and others)
  • A = COLLATE
  • ( = left parenthesis
  • ) = right parenthesis
  • { = left brace
  • } = right brace
  • . = dot
  • , = comma
  •  : = colon
  •  ; = semicolon
  • T = TSQL START
  • X = could not parse and aborted
  • \ = backslash
  • k = keyword (known SQL statements, such as SMALLDATETIMEFROMPARTS, SQL_BUFFER_RESULT, IS_SRVROLEMEMBER, etc)

There are effectively an infinite number of combinations of fingerprints, which is the intent of this algorithm to analyze the content and find possible patterns in an infinite set of potential SQL injection attacks.

[edit] Examples

The alert may look like this:


[Tue Feb 14 10:06:52 2017] [error] [client 1.2.3.4] ModSecurity: [file "/etc/httpd/modsecurity.d/11_asl_adv_rules.conf"] [line "82"] [id "341245"] [rev "28"] [msg "Atomicorp.com WAF Rules: Possible SQL injection attack (detectSQLi)"] [data "nf(n),ARGS:somevariable"] [severity "CRITICAL"] Access denied with code 403 (phase 2). detected SQLi using libinjection with fingerprint 'nf(n)' [hostname "example.com"] [uri "/some/url"] [unique_id "WKJmPApYHEUAAAti9GAAAAAN"]

In this example, the finger print is "nf(n)". Which represents a series of fingerprints that when combined are flagged as possible SQL commands or other potentially hazardous or malicious content. Using the table above, this signature contains 5 fingerprints:

  • n = bare word
  • f = function
  • ( = right parenthesis
  • n = bare word
  • ) = left parenthesis

Which means:

A bareword, combined with a function followed by a bareword inside parathesis was found in the argument "somevariable". Heres an example of an input that would generate this fingerprint:

somevariable=select group(users)

The actual content will vary, this is just an example of one type of content that would generate this series of fingerprints.

[edit] Troubleshooting

[edit] False Positives

If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

[edit] Tuning Guidance

If you want to disable or tune this rule, please see the Tuning the Atomicorp WAF Rules page for basic information.

[edit] Additional Information

[edit] Similar Rules

None.

[edit] Knowledge Base Articles

None.

[edit] Outside References

None.

[edit] Notes

None.

Personal tools