Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sandy2810
New Contributor

Fortigate UTM IPS fails to detect SQL Injection attacks.

Hi Everyone, I am finding it difficult to comprehend why our Fortigate IPS fails to detect SQL injection attacks. Our Cisco IPS however detects these kind of attacks. Initially I thought that the alerts generated by Cisco IPS are false positives, however I was wrong. It correctly detected the SQL injection attempts that I made to confirm the validity of the alert. The weird part is our Cisco IPS has outdated IPS signatures yet it detects such attacks and Fortigate with the latest IPS signatures fails to. Any explanation to the above issue will be interesting. Regards
5 REPLIES 5
emnoc
Esteemed Contributor III

Does the cisco list the cvss value and is the attack signature a commonly known attack? Once you find out the attack signature ( eg nessus id ), you can review your FGT to ensure that signature is enabled in your IDS/IPS sensor. It can' t detect something that' s not enabled.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
sandy2810

Cisco does not list the cvss value but it has the Signature ID 5930. You may google it for more details on the signature. This attack signature should be a known attack in my opinion. I have enabled medium,high and critical signatures on FGT. I scanned for SQL injection related signatures and found them enabled on FGT. The thing that bothers me is I tried the attack using firefox plugin SQL InjectMe, FGT failed to detect it whereas Cisco IPS detected the attempt.
emnoc
Esteemed Contributor III

ID 5930
So you will need to query your active enaged signature and you might want to query your ips database http://www.fortiguard.com/updates/ips.html e.g get system status ( to validate your signature db ), if your datebase is not up2date, than push or pull a update. And then query the signature in your UTM >intrusion > ips sensor and make sure it' s applied. Once again, if the signature is not apply than it can identified the atatck

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
sandy2810

The IPS database on FGT is latest. I have enabled all signatures related to SQL but it would still not detect the attack. I would probably relate this behavior to a buggy FortiOS version 5. Heard a lot from the industry that this particular version is not stable yet. Dont quite understand why Fortinet had to release it when it had so many bugs. Whats your take on this? Regards
emnoc
Esteemed Contributor III

Not running v5 on anything production outside of a FWF60D for my home/lab. So I can honesty make a comment. For the signatures, you will need to look at mssql-xss-injection or mysql-xss-injection or something like. Than to confirm the signature triggers, use something like Nessus to test a host and see you get an alert. Set the alert for log and no blocking.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors