https://live.paloaltonetworks.com/t5/general-topics/http-and-sql-injection-by-facebook-mail/m-p/44248#M32483 <HTML><HEAD></HEAD><BODY><P>Hi,<BR />I am checking with engineering on partial pcap issue. For better tracking, I'd recommend filing a support case though.</P><P></P><P>Thanks,<BR />Sandeep </P></BODY></HTML> Thu, 28 Oct 2010 09:46:12 GMT migration 2010-10-28T09:46:12Z https://live.paloaltonetworks.com/t5/general-topics/http-and-sql-injection-by-facebook-mail/m-p/44245#M32480 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>We recently found a threat "HTTP SQL Injection Attempt" (ID = 30514) with the application "facebook-mail".</P><P>We found that information quite strange. What does it mean exactly?</P><P>Was there some patterns (for example a SQL specific pattern) in the mail?</P><P></P><P>I had a packets capture, but I wasn't be able to find something interesting in there.</P><P></P><P>I'm sure that some experts here can help me to understand that point.</P><P></P><P>Many thanks</P></BODY></HTML> Wed, 27 Oct 2010 16:49:35 GMT https://live.paloaltonetworks.com/t5/general-topics/http-and-sql-injection-by-facebook-mail/m-p/44245#M32480 migration 2010-10-27T16:49:35Z https://live.paloaltonetworks.com/t5/general-topics/http-and-sql-injection-by-facebook-mail/m-p/44246#M32481 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I checked the PCAP you sent but since it was incomplete, I couldn't see the HTTP contents. </P><P></P><P>The very likely cause of the signature triggering would be that there was a URL contained within the traffic which contained SQL injection traffic. If you have the entire PCAP available, I can help in analyzing that.</P><P></P><P>Thanks,</P><P>Sandeep</P></BODY></HTML> Thu, 28 Oct 2010 03:53:32 GMT https://live.paloaltonetworks.com/t5/general-topics/http-and-sql-injection-by-facebook-mail/m-p/44246#M32481 migration 2010-10-28T03:53:32Z https://live.paloaltonetworks.com/t5/general-topics/http-and-sql-injection-by-facebook-mail/m-p/44247#M32482 <HTML><HEAD></HEAD><BODY><P>Hello Sjain,</P><P></P><P>The PCAP is the only pcap i have (obtained from the Appliance with the option "packet capture" on my vulnerabilities profiles).</P><P>Is it possible to obtain more complete captures in the future?</P><P></P><P>I assume you are right about the URL containing the SQL injection, unfortunately, it seems no possible to check now...</P><P></P><P>Regards,</P></BODY></HTML> Thu, 28 Oct 2010 08:39:00 GMT https://live.paloaltonetworks.com/t5/general-topics/http-and-sql-injection-by-facebook-mail/m-p/44247#M32482 migration 2010-10-28T08:39:00Z https://live.paloaltonetworks.com/t5/general-topics/http-and-sql-injection-by-facebook-mail/m-p/44248#M32483 <HTML><HEAD></HEAD><BODY><P>Hi,<BR />I am checking with engineering on partial pcap issue. For better tracking, I'd recommend filing a support case though.</P><P></P><P>Thanks,<BR />Sandeep </P></BODY></HTML> Thu, 28 Oct 2010 09:46:12 GMT https://live.paloaltonetworks.com/t5/general-topics/http-and-sql-injection-by-facebook-mail/m-p/44248#M32483 migration 2010-10-28T09:46:12Z https://live.paloaltonetworks.com/t5/general-topics/http-and-sql-injection-by-facebook-mail/m-p/44249#M32484 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>If you are filing a support case, please let me know the case #. Also include "show system info" output in the case.</P><P></P><P>Thanks,<BR />Sandeep </P></BODY></HTML> Tue, 02 Nov 2010 20:26:39 GMT https://live.paloaltonetworks.com/t5/general-topics/http-and-sql-injection-by-facebook-mail/m-p/44249#M32484 migration 2010-11-02T20:26:39Z