SQL-INJ "drop Schema" reporting in ASM 11.3

Question

All,&nbsp;
 &nbsp;
In our 11.3 ASM, we triped an attack signiture detected for the following. Looking to understand why this registered? I see schema included as part of the parameter value, but is that enough to say this may be an attack?&nbsp;
 &nbsp;
"wresult=2013-05-21T15:23:30.278Z&nbsp;

chris_campbell1 · Answer

If you know the sig-ID you can pull the actual signature from the ASM database and see exactly why it matched.

lazar_92526 · Answer

I did, and when I did a view details, I got the following for detected keywords&nbsp;
 &nbsp;
wresult=0x20xlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"&gt;0x20xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"&gt;2013-05-21T15:23:30.278Z&nbsp;

chris_campbell1 · Answer

Depending on the signature it can be a keyword type or a regex type (you can see all the signature options here: http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0/asm_apx_attack_sig_syntax.html1005373) so it's certainly enough to say that if the signature was matched then a suspicious value was found. Having said that you need a full understanding of the application to say whether the particular match was a false positive or not. Usually the source of the attack gives you some clue, was this from an authenticated user? Can you find out who that user is and speak to them?

lazar_92526 · Answer

Chris,&nbsp;
 &nbsp;
This is coming from the default signature (see below) and not a customized one. Do the default sigs just trip on keywords?&nbsp;
 &nbsp;
 &nbsp;

Signature Properties&nbsp;

Name SQL-INJ "DROP SCHEMA" (Parameter)&nbsp;
ID 200002283&nbsp;
Signature Type Request&nbsp;
Apply to Parameter, XML, JSON, GWT&nbsp;
Attack Type SQL-Injection&nbsp;
Systems General Database IBM DB2 Microsoft SQL Server MySQL Oracle PostgreSQL Sybase/ASE&nbsp;
Accuracy High&nbsp;
Risk High&nbsp;
User-defined No&nbsp;
Revision 1&nbsp;
Last Updated 02/05/2013&nbsp;
Documentation View&nbsp;
References www.owasp.org/index.php/SQL_Injection www.webappsec.org/projects/threat/c...tion.shtml&nbsp;

&nbsp;

hooleylist · Answer

Hi Lazar, 
&nbsp;  
&nbsp; The signature is looking for drop and schema and a fairly complex regex.  It's not just looking for those two key words. 
&nbsp;  
&nbsp; If you're seeing false positives on just one parameter, I'd disable the signature on a new global parameter with that name.  If you're seeing false positives on several parameters, you could disable the signature across the policy. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

SQL-INJ "drop Schema" reporting in ASM 11.3

5 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

Re: BigIP Report

BigIP Report Old

Get started with F5 Distributed Cloud WAAP Scheduled Reports

F5 2023 State of Application Strategy Report

Big-IP Reporting? Vserver traffic stats, etc.?