https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ips-detects-html-sql-injection-attempt-35827-only-after/m-p/295584#M668 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41122">@Benoit_Malenfant</a>,</P><P>Is the traffic running over HTTPS and if so are you performing decryption on the traffic?&nbsp;</P> Thu, 31 Oct 2019 21:45:43 GMT BPry 2019-10-31T21:45:43Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ips-detects-html-sql-injection-attempt-35827-only-after/m-p/295493#M667 <P>During an event investigation, noticed the following behavior:</P><P>&nbsp;</P><OL><LI>Attacker sends SQL injection request to WebServer (that sits behind a Palo-Alto).</LI><LI>WebServer answers with HTTP 302 to redirect to error page (the error page is basically "/error.aspx/[original request from attacker]")</LI><LI>Attacker follows the 302</LI><LI>IPS blocks request at this point.</LI></OL><P>I'm wondering why the IPS is not blocking the SQL injection attempt when the original request from the attacker is sent and only blocks it once the attacker tries to follow the 302?</P><P>&nbsp;</P><P>Anyone else noticed the same behavior?&nbsp;</P> Thu, 31 Oct 2019 16:03:31 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ips-detects-html-sql-injection-attempt-35827-only-after/m-p/295493#M667 Benoit_Malenfant 2019-10-31T16:03:31Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ips-detects-html-sql-injection-attempt-35827-only-after/m-p/295584#M668 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41122">@Benoit_Malenfant</a>,</P><P>Is the traffic running over HTTPS and if so are you performing decryption on the traffic?&nbsp;</P> Thu, 31 Oct 2019 21:45:43 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ips-detects-html-sql-injection-attempt-35827-only-after/m-p/295584#M668 BPry 2019-10-31T21:45:43Z