Forum Discussion

Steve_A_129440's avatar
Steve_A_129440
Icon for Nimbostratus rankNimbostratus
Jul 16, 2013

Frequent SQL-INJ false positives

I am having a frequent issue of the SQL-INJ signatures matching and alarming on content that has no resemblance of a SQL injection attack.

 

Here is an example:

 

txtBio=

 

Julie0x20Brown:0x20Julie0x20‘

 

This flagged attack signature 200002175 - SQL-INJ create table.

 

 

Every day I get a couple thousand of these sort of false positives. If I disable on parameter then eventually I will have no paramaters being protected.

 

 

Any thoughts?

 

 

 

 

 

 

 

5 Replies

  • Steve,

     

     

    So that signature is fairly broad in its net cast (generic sql catch). I usually disable the generic one and leave all the more advanced mysql rules to provide protection.

     

     

    I'll need to look at the regex of the rule again, but if I recall it's called in the rule that it may have a higher false positive rate.

     

     

    Sorry for the brief response, in middle of a class.

     

     

    -josh

     

    security monkey
  • Thanks for responding.

     

     

    Have you found a way to look into the reg-ex that makes up that rule? I'd love to see the 'source' of some of these rules.

     

  • If anyone has a way to look at the source of Attack Signatures I would be grateful on how to do that as well.
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    \\+|\\/\\*)/Psi\";

     

     

    Josh did a tech tip on how to dissect attack sigs by creating a custom one which is a useful addition to this.

     

     

    Hope this helps,

     

    N
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    I ran asmqkview on an 11.x box and the asm_mysql.dump file isn't there :-(

     

     

    I will continue the search....