HTTP.URI.SQL.Injection

Question

I am getting a lot of HTTP.URI.SQL.Injection alerts recently.  From what i can tell, it seems to be when an iOS (Apple) app has banner ads.  Whenever I launch an app that shows banner ads, I get this alert (or similar):    The following intrusion was observed: .  date=2012-10-23 time=15:32:04 devname=FGT_Firewall device_id=FGT80Cxxxx log_id=0419016384 type=ips subtype=signature  pri=alert severity=high carrier_ep=" N/A"  profilegroup=" N/A"  profiletype=" N/A"  profile=" N/A"  src=192.168.1.231 dst=98.139.43.115 src_int=" internal"  dst_int=" wan1"  policyid=2 intf_policyid=N/A identidx=0 serial=1204932 status=detected proto=6 service=http vd=" root"  count=1 attack_name=HTTP.URI.SQL.Injection src_port=61394 dst_port=80 attack_id=15621 sensor=" default"  ref=" http://www.fortinet.com/ids/VID15621"  user=" N/A"  group=" N/A"  incident_serialno=1256463166 msg=" web_misc: HTTP.URI.SQL.Injection"       I have a Fortigate 80C running v4.0, MR3 patch10.  IPS Sensor is using the built-in default (prevent critical attacks)    Any idea why this is happening, or how I can disable this one particular signature?

Sumanth_FTNT · Answer

Hi Eric,    You can disable the particular signature by override option. As you can see below select the particular rule in this case 15621 seen in your logs & set its action to pass. This solves the issue for now.    config ips sensor      edit " default"           set comment " prevent critical attacks"               config entries                  edit 2                      set action pass                      set rule 15621                      set status enable                  next                  edit 1                      set severity medium high critical                   next              end      next  end    Regards  Sumanth

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded