Skip to main content
sandy2810
sandy2810
New Member
March 26, 2013
Question

Fortigate UTM IPS fails to detect SQL Injection attacks.

  • March 26, 2013
  • 3 replies
  • 11180 views
Hi Everyone, I am finding it difficult to comprehend why our Fortigate IPS fails to detect SQL injection attacks. Our Cisco IPS however detects these kind of attacks. Initially I thought that the alerts generated by Cisco IPS are false positives, however I was wrong. It correctly detected the SQL injection attempts that I made to confirm the validity of the alert. The weird part is our Cisco IPS has outdated IPS signatures yet it detects such attacks and Fortigate with the latest IPS signatures fails to. Any explanation to the above issue will be interesting. Regards

    3 replies

    emnoc
    emnoc
    New Member
    March 26, 2013
    Does the cisco list the cvss value and is the attack signature a commonly known attack? Once you find out the attack signature ( eg nessus id ), you can review your FGT to ensure that signature is enabled in your IDS/IPS sensor. It can' t detect something that' s not enabled.
    sandy2810
    sandy2810Author
    New Member
    March 27, 2013
    Cisco does not list the cvss value but it has the Signature ID 5930. You may google it for more details on the signature. This attack signature should be a known attack in my opinion. I have enabled medium,high and critical signatures on FGT. I scanned for SQL injection related signatures and found them enabled on FGT. The thing that bothers me is I tried the attack using firefox plugin SQL InjectMe, FGT failed to detect it whereas Cisco IPS detected the attempt.
    emnoc
    emnoc
    New Member
    March 27, 2013
    ID 5930
    So you will need to query your active enaged signature and you might want to query your ips database http://www.fortiguard.com/updates/ips.html e.g get system status ( to validate your signature db ), if your datebase is not up2date, than push or pull a update. And then query the signature in your UTM >intrusion > ips sensor and make sure it' s applied. Once again, if the signature is not apply than it can identified the atatck
    sandy2810
    sandy2810Author
    New Member
    March 28, 2013
    The IPS database on FGT is latest. I have enabled all signatures related to SQL but it would still not detect the attack. I would probably relate this behavior to a buggy FortiOS version 5. Heard a lot from the industry that this particular version is not stable yet. Dont quite understand why Fortinet had to release it when it had so many bugs. Whats your take on this? Regards
    emnoc
    emnoc
    New Member
    March 28, 2013
    Not running v5 on anything production outside of a FWF60D for my home/lab. So I can honesty make a comment. For the signatures, you will need to look at mssql-xss-injection or mysql-xss-injection or something like. Than to confirm the signature triggers, use something like Nessus to test a host and see you get an alert. Set the alert for log and no blocking.
    Terms & ConditionsAccessibility statement