https://live.paloaltonetworks.com/t5/general-topics/havij-sql-injection-filter/m-p/13695#M10038 <HTML><HEAD></HEAD><BODY><P>In this case you don't have to create a Custom Vulnerability Signature but a Custom Application Signature, in the way you have told and creating a security policy with the deny action for that application.</P><P>You have to use "http-req-headers" and insert "Havij" as pattern match. This should works.</P></BODY></HTML> Tue, 07 Jun 2011 16:57:14 GMT migration 2011-06-07T16:57:14Z https://live.paloaltonetworks.com/t5/general-topics/havij-sql-injection-filter/m-p/13694#M10037 <HTML><HEAD></HEAD><BODY><P>There doesn't seem to be a filter for this vulnerability at this time so I am trying to write one.&nbsp; By default the program uses its name in the agent string;</P><P></P><PRE>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij</PRE><P></P><P>I am trying to create a vulnerability filter that looks for "Havij" in the agent string, my belief based on what I have read is the filter should read something like pattern-match http-req-headers, where I am stuck though is the value, since it has to be at least 7 bytes, is there a way to pad "Havij" so it meets the requirement?&nbsp; Or am I going about this wrong.</P><P></P><P>Thanks.</P><P></P><PRE><BR /></PRE></BODY></HTML> Tue, 07 Jun 2011 16:37:01 GMT https://live.paloaltonetworks.com/t5/general-topics/havij-sql-injection-filter/m-p/13694#M10037 rodrigum 2011-06-07T16:37:01Z https://live.paloaltonetworks.com/t5/general-topics/havij-sql-injection-filter/m-p/13695#M10038 <HTML><HEAD></HEAD><BODY><P>In this case you don't have to create a Custom Vulnerability Signature but a Custom Application Signature, in the way you have told and creating a security policy with the deny action for that application.</P><P>You have to use "http-req-headers" and insert "Havij" as pattern match. This should works.</P></BODY></HTML> Tue, 07 Jun 2011 16:57:14 GMT https://live.paloaltonetworks.com/t5/general-topics/havij-sql-injection-filter/m-p/13695#M10038 migration 2011-06-07T16:57:14Z https://live.paloaltonetworks.com/t5/general-topics/havij-sql-injection-filter/m-p/13696#M10039 <HTML><HEAD></HEAD><BODY><P>Same error, "must be at least 7 bytes".&nbsp; I am running 3.1 if that helps.</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 07 Jun 2011 18:05:55 GMT https://live.paloaltonetworks.com/t5/general-topics/havij-sql-injection-filter/m-p/13696#M10039 rodrigum 2011-06-07T18:05:55Z https://live.paloaltonetworks.com/t5/general-topics/havij-sql-injection-filter/m-p/13697#M10040 <HTML><HEAD></HEAD><BODY><P>if you do not have a 7 byte anchor for your data pattern then you will get that error. </P><P></P><P>In your case your data pattern is not long enough. Can you pad the pattern with additional characters?</P></BODY></HTML> Tue, 07 Jun 2011 18:19:03 GMT https://live.paloaltonetworks.com/t5/general-topics/havij-sql-injection-filter/m-p/13697#M10040 bpappas 2011-06-07T18:19:03Z https://live.paloaltonetworks.com/t5/general-topics/havij-sql-injection-filter/m-p/13698#M10041 <HTML><HEAD></HEAD><BODY><P>The string I posted above is what is passed, is there an easy way to use that to create the match string included in it the padding I need/</P></BODY></HTML> Tue, 07 Jun 2011 18:22:35 GMT https://live.paloaltonetworks.com/t5/general-topics/havij-sql-injection-filter/m-p/13698#M10041 rodrigum 2011-06-07T18:22:35Z https://live.paloaltonetworks.com/t5/general-topics/havij-sql-injection-filter/m-p/13699#M10042 <HTML><HEAD></HEAD><BODY><P>Have you tried this:</P><P></P><P><SPAN style="font-family: 'courier new', courier;">\)\ Havij</SPAN></P></BODY></HTML> Tue, 07 Jun 2011 18:31:31 GMT https://live.paloaltonetworks.com/t5/general-topics/havij-sql-injection-filter/m-p/13699#M10042 bpappas 2011-06-07T18:31:31Z