Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Frequent SQL-INJ false positives

I am having a frequent issue of the SQL-INJ signatures matching and alarming on content that has no resemblance of a SQL injection attack. 

Here is an example:

txtBio=

Julie0x20Brown:0x20Julie0x20‘

This flagged attack signature 200002175 - SQL-INJ create table.

 

Every day I get a couple thousand of these sort of false positives.  If I disable on parameter then eventually I will have no paramaters being protected.


Any thoughts?

 

 

 

 

 

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Steve,

So that signature is fairly broad in its net cast (generic sql catch). I usually disable the generic one and leave all the more advanced mysql rules to provide protection.

I'll need to look at the regex of the rule again, but if I recall it's called in the rule that it may have a higher false positive rate.

Sorry for the brief response, in middle of a class.

-josh
security monkey
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks for responding.  

 

Have you found a way to look into the reg-ex that makes up that rule?  I'd love to see the 'source' of some of these rules.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
If anyone has a way to look at the source of Attack Signatures I would be grateful on how to do that as well.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Mike, Steve,

Only ever done this in 9.x but imagine 10.x and 11.x is the same (I'll check), but if you run a asmqkview and unzip the snapshot file you should find there is a asm_mysql.dump file which has a list of all the sigs and the regex rules for them.

For the attack mentioned above you get this:

,'SQL-INJ create table','paramcontent:\"create\"; nocase; norm; paramcontent:\"table\"; norm; nocase; distance:0; pcre:\"/^[^=]*=.*?(?:\\x22|\'|\\(|\\)|=|;|--|#|\\+|\\/\\*)/Psi\";


Josh did a tech tip on how to dissect attack sigs by creating a custom one which is a useful addition to this.

Hope this helps,
N
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I ran asmqkview on an 11.x box and the asm_mysql.dump file isn't there :-(

I will continue the search....
0