Default Action for SQL Injection Attacks

Reply
djr
L3 Networker

Default Action for SQL Injection Attacks

Following a sudden spike in SQLMap threats, I was looking at the default action for SQL injection threats and I noticed that it is is only an "alert" which seems odd for that kind of attack.  Has anyone looked deeper into this and/or changed the action and is there a reason for this not being a reset/drop action?

L7 Applicator

Re: Default Action for SQL Injection Attacks

Hello,

While it is by deafult sert to alert, I found its best to block threats by Severity. As you can see by the picture, this Vulnerability Protection Profile, when added to a Policy, will reset the traffic so it cannot cause any damage:

 

image.pngI hope this makes sense.

 

Regards,

djr
L3 Networker

Re: Default Action for SQL Injection Attacks

Hi,

 

We already reset Critical and high, but use the PAN default below that so the difference between your profile and ours is really just that you extend that down to medium.

 

I see you also use the default action for low and info which is probably for the same reason we do - some of the low and info threats are by default blocked which we found odd.  The PAN severity classification seems a bit weird which is why I was asking if anyone knew a reason why SQL injection was only an alert by default - if the detection is robust I would expect this to be a block by default. 

L7 Applicator

Re: Default Action for SQL Injection Attacks

Hello,

I would recommend setting the medium to also reset or block. There are going to be some exceptions, at least there are in my environemtn so I had to create special exception cases for them.

 

Regards,

djr
L3 Networker

Re: Default Action for SQL Injection Attacks

OK thanks, I will look a bit closer at what other medium level threats we are seeing, with a view to doing that.

 

Many thanks

L7 Applicator

Re: Default Action for SQL Injection Attacks

Leaving medium to default allows so much bad stuff through.

I have even low severety set to reset-both with only 3 manual exeptions in there for traffic sourcinf from wan and handful more for internal traffic.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
Highlighted
djr
L3 Networker

Re: Default Action for SQL Injection Attacks

Thanks, I don't think I will go that far just yet, but have put medium to reset-both for spyware and vulnerabilities. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!