Created on 10-31-2008 08:24 AM
|Description||SQL Injection attacks|
|Steps or Commands||
SQL Injection is a generic classification for a type of attack. There are multiple ways of performing this by accessing a database remotely. There are also multiple database software platforms (DB, DB2, Oracle, MS-SQL, MySQL, just to name a few) and multiple OSs these can run on. Each combination has different vulnerabilities and methods of being hit with SQL Injection.
An SQL sentence is, by nature, very flexible. In order to accurately identify SQL sentences, IPS needs to parse all of the SQL syntax. To determine if it's an attack, IPS also needs to understand its meaning. From a performance point of view, it's unfeasible to define a generic rule to scan all packets to detect SQL injection as this would involve searching for and identifying SQL on every port, and then parsing the SQL based on every single database platform separately.
To narrow down the number of packets to inspect, we need to know the attack vector of each vulnerability that can be exploited via SQL injection. For example, which user-input value can be injected with an SQL sentence. As such most our signatures are based on these known attack vectors. These can be found in various security publications like CVE (Common Vulnerabilities Exchange) and others like it.
We also have a generic signature named HTTP.URI.SQL.Injection. It can detect some suspicious SQL sentences in an HTTP URL. No vendor can provide a generic rule to cover all SQL injection attacks. Our IPS database contains many signatures regarding SQL Injection detection and prevention. We can block any packet or string of packets that matches a signature in the IPS database and our IPS team is constantly working to modify our signatures and enhancing detection.
For our IPS team to develop a signature to detect/prevent a particular SQL injection attack contact our technical support department. To process this, the minimum information that must be provided is a Verbose Packet sniff and information to access a vulnerability publication so that our IPS development team can investigate the possibility of developing a signature.