Attack signature not triggered

Hi Ian,

 

 

I tried testing with a parameter value set to -49893%20UNION%20SELECT%20CHAR(97,102,56,56,48,48,55,53,97,97)--1040 and see two signatures triggered:

 

 

SQL-INJ "UNION SELECT" (Parameter) 200000073

 

SQL-INJ CHAR() 200002270

 

 

Can you confirm these two signatures are enabled in your policy under the Attack Signatures | Policy Attack Signatures? If so, are they still enabled on the id or global * parameter? Does the parameter that the request matched have checks enabled?

 

 

If you want to email me the full request info page, I can take a quick look today.

 

 

Aaron

Hi Aaron,

 

 

Yes the signatures appear to be enabled both globally on the policy and on the wildcard parameter.

 

 

The ASM did not alert so there is not full request info page unfortunately. I only know about the attack because mod_security stepped in it's way.

 

 

I might try to modify the URI to get ASM to trigger for another metacharacter and see what happens then.

 

 

Ian

 

Sorry, that would only have worked if you were logging all requests. You could also append a query string parameter with a ' or some other metacharacter that is marked as illegal to trigger a violation.

 

 

Aaron

Odder and odder,

 

 

Some of my tests have triggered the ASM now, I've sent the full request text for one of those.

 

 

Ian

 

I think it is something to do with staging the policy is new and the signatures are show as "In staging since 08/07/2010" does this affect what they do?

 

Staging allows you to make changes to the policy (generally tightening it) and put the changes in transparent mode. If you have staging enabled (under Policy | Staging-Tightening Period) and update the attack sigs, modified and new signatures will be put in staging until you manually enable them.

 

 

Aaron

Yes that is what it was, I've turned staging off and re-ran the query and the ASM alerts. Thanks for your help, sorry to bother you,

 

 

Ian