Forum Discussion
Steve_A_129440
Nimbostratus
NimbostratusFrequent SQL-INJ false positives
I am having a frequent issue of the SQL-INJ signatures matching and alarming on content that has no resemblance of a SQL injection attack.
Here is an example:
txtBio=
Julie0x20Brown:0x20Julie0x20‘
This flagged attack signature 200002175 - SQL-INJ create table.
Every day I get a couple thousand of these sort of false positives. If I disable on parameter then eventually I will have no paramaters being protected.
Any thoughts?
5 Replies
jwham20Steve,
So that signature is fairly broad in its net cast (generic sql catch). I usually disable the generic one and leave all the more advanced mysql rules to provide protection.
I'll need to look at the regex of the rule again, but if I recall it's called in the rule that it may have a higher false positive rate.
Sorry for the brief response, in middle of a class.
-josh
security monkey- Steve_A_129440
Thanks for responding.
Have you found a way to look into the reg-ex that makes up that rule? I'd love to see the 'source' of some of these rules.
Mike_MaherIf anyone has a way to look at the source of Attack Signatures I would be grateful on how to do that as well.
natheCirrocumulus
\\+|\\/\\*)/Psi\";
Josh did a tech tip on how to dissect attack sigs by creating a custom one which is a useful addition to this.
Hope this helps,
N- natheI ran asmqkview on an 11.x box and the asm_mysql.dump file isn't there :-(
I will continue the search....
