https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63597#M38248 <P>Yes its matching the correct policy.</P> Tue, 25 Aug 2015 13:35:26 GMT SOC_CSG 2015-08-25T13:35:26Z https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63593#M38244 <P>Hi, we are receiving these tries about SQL injection but our Palo alto is not detecting it. How can we do that PA detect this SQLi????? we have updated the threats signatures.</P><P>&nbsp;</P><P>Sql injection</P><P>GET /ficha-modelo?id=2&amp;entidad=99999999%27%20oR%20%277%27=%277 HTTP/1.1" 500 59878 "-" "Mozilla/4.0</P><P>GET /ficha-modelo?entidad=!S!WCRTESTINPUT000000%3C%3E%3c%3e%253c%253e!E!&amp;id=2 HTTP/1.1" 500 59878 "-" "Mozilla/4.0"</P> Tue, 25 Aug 2015 13:21:36 GMT https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63593#M38244 SOC_CSG 2015-08-25T13:21:36Z https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63595#M38246 <P>Have you applied proper security profiles to the concern security policies?</P> Tue, 25 Aug 2015 13:27:44 GMT https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63595#M38246 pankaku 2015-08-25T13:27:44Z https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63597#M38248 <P>Yes its matching the correct policy.</P> Tue, 25 Aug 2015 13:35:26 GMT https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63597#M38248 SOC_CSG 2015-08-25T13:35:26Z https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63598#M38249 <P>No I am talking about the antivirus, antispyware, vulnerabiltiy profile are applied to the security rules?</P> Tue, 25 Aug 2015 14:31:10 GMT https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63598#M38249 pankaku 2015-08-25T14:31:10Z https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63600#M38251 <P>we have the 3 security profiles assigned in the default config for this connection. What can we do in order to detect this SQLi???&nbsp;</P> Tue, 25 Aug 2015 14:44:38 GMT https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63600#M38251 SOC_CSG 2015-08-25T14:44:38Z https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63603#M38253 <P>typicall something that should be caught by a WAF/ReverseProxy that is fine tuned for specific customer needs, not a firewall or a IPS in my opinion.</P> Tue, 25 Aug 2015 15:11:47 GMT https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63603#M38253 cpainchaud 2015-08-25T15:11:47Z https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63605#M38254 <P>You have to create security profile and apply them into the security rules</P><P>&nbsp;</P><P>Objectes&gt; Security profiles&gt; Antivirus&gt; clone default one and modify it accordingly.</P><P><SPAN>Objectes&gt; Security profiles&gt; Anti-Spyware&gt; clone default one and modify it accordingly.</SPAN></P><P><SPAN>Objectes&gt; Security profiles&gt; Vulnerability Profile&gt; clone default one and modify it accordingly.</SPAN></P><P>&nbsp;</P><P><SPAN>The default profiles are okay but you cannot modify them that'w why we need to clone them.</SPAN></P><P>&nbsp;</P><P><SPAN>Now go to the Policies&gt; Security&gt; Open the security policy which is allowing the traffic and into that go to action call the above new profiles</SPAN></P><P>&nbsp;</P><P><SPAN><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/72iCFCC631BA54B982A/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="Security Policy.png" title="Security Policy.png" /></SPAN></P><P>&nbsp;</P> Tue, 25 Aug 2015 15:39:09 GMT https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63605#M38254 pankaku 2015-08-25T15:39:09Z https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63609#M38255 <P>Yes i know but PA doesnt have the specific siganture for this SQLi. We have everything enabled and its not being detected.</P> Tue, 25 Aug 2015 15:56:44 GMT https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63609#M38255 SOC_CSG 2015-08-25T15:56:44Z https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63741#M38308 <P>Hi, COS,</P><P>&nbsp;</P><P>SQLi will be the best effort, it will catch the most common attempts and will not evaluate any string for SQLi. If you really need that, create your own custom threat signature to improve posture, or consider offloading such job to a dedicated web / app firewall.</P><P>&nbsp;</P><P>Great read on creating custom threat signatures can be found in this tech note: <A href="https://live.paloaltonetworks.com/t5/Articles/Creating-Custom-Threat-Signatures/ta-p/58569" target="_blank">https://live.paloaltonetworks.com/t5/Articles/Creating-Custom-Threat-Signatures/ta-p/58569</A></P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Luciano</P> Thu, 27 Aug 2015 20:42:47 GMT https://live.paloaltonetworks.com/t5/general-topics/sqlinjection-not-being-detected-by-pa/m-p/63741#M38308 Lucky 2015-08-27T20:42:47Z