This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Need help in identifing and blocking SQL injection attempts

jst3751 over 5 years ago

I have tried searching the existing questions and discussions and have not really found a complete answer.

I have found in LEM the existing item under groups called "XSS and SQL Injection Vectors". (For some reason it is listed under User Defined Group.

I have created a rule template called "Template: SQL Injection Attempt" and cloned that to a rule called "SQL Injection Attempt". I added a email notification and then enabled the rule.

The thing is I can not tell if it is working correctly. Is there a way to setup a test, or test that rule against last weeks data?

0 jrouviere over 5 years ago

A User Defined Group is just a group of search strings or keywords that LEM can evaluate all at once for a rule action or a filter. Typically something created by the end user (you).
LEM isn't able to fire rules against historical data, but one thing that I've done in the past is mirror my Rule correlation in nDepth and run a search against previous data. Usually if you find search results it would indicate the rule would have fired, but there's no substitution for a real test. Ultimately if you have a test scenario or test database that you can run an actual injection against would be the best option.
Cancel
Vote Up 0 Vote Down

Cancel
0 jst3751 over 3 years ago in reply to jrouviere

Wow, I am finally working on this again and was searching and wow found my own posted question.
The last day I have been trying to use that in a nDepth query and it keeps timing out, even only looking at last 10 minutes.
Any help or suggestions are appreciated.
Using SEM 2019.4
Cancel
Vote Up 0 Vote Down

Cancel
0 vitezslav.papiez over 3 years ago in reply to jst3751

Hello,
I am sorry for such late response. Could you open a support ticket, please? I am very interested in the logs and the timing out situation.
Could you please upgrade to the SEM 2020.2.1 version and replicate the search in the new UI? Do you see the same behaviour?
Thank you
Cancel
Vote Up 0 Vote Down

Cancel
0 jst3751 over 3 years ago in reply to vitezslav.papiez

I did have a case open and got a round around and no real answer or solution
Does 2020.2 still include the old flash console? I use Ndepth all the time.
Cancel
Vote Up 0 Vote Down

Cancel
0 vitezslav.papiez over 3 years ago in reply to jst3751

Hello,
were you lucky with the new UI? do you see any issues using the new one for this particular case?
Yes the old flash is there.
Cancel
Vote Up 0 Vote Down

Cancel
0 jst3751 over 3 years ago in reply to vitezslav.papiez

I have not had time to run the update yet.
Cancel
Vote Up 0 Vote Down

Cancel