SQLinjection not being detected by PA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SQLinjection not being detected by PA

L4 Transporter

Hi, we are receiving these tries about SQL injection but our Palo alto is not detecting it. How can we do that PA detect this SQLi????? we have updated the threats signatures.

 

Sql injection

GET /ficha-modelo?id=2&entidad=99999999%27%20oR%20%277%27=%277 HTTP/1.1" 500 59878 "-" "Mozilla/4.0

GET /ficha-modelo?entidad=!S!WCRTESTINPUT000000%3C%3E%3c%3e%253c%253e!E!&id=2 HTTP/1.1" 500 59878 "-" "Mozilla/4.0"

8 REPLIES 8

L5 Sessionator

Have you applied proper security profiles to the concern security policies?

Yes its matching the correct policy.

No I am talking about the antivirus, antispyware, vulnerabiltiy profile are applied to the security rules?

we have the 3 security profiles assigned in the default config for this connection. What can we do in order to detect this SQLi??? 

typicall something that should be caught by a WAF/ReverseProxy that is fine tuned for specific customer needs, not a firewall or a IPS in my opinion.

You have to create security profile and apply them into the security rules

 

Objectes> Security profiles> Antivirus> clone default one and modify it accordingly.

Objectes> Security profiles> Anti-Spyware> clone default one and modify it accordingly.

Objectes> Security profiles> Vulnerability Profile> clone default one and modify it accordingly.

 

The default profiles are okay but you cannot modify them that'w why we need to clone them.

 

Now go to the Policies> Security> Open the security policy which is allowing the traffic and into that go to action call the above new profiles

 

Security Policy.png

 

Yes i know but PA doesnt have the specific siganture for this SQLi. We have everything enabled and its not being detected.

Hi, COS,

 

SQLi will be the best effort, it will catch the most common attempts and will not evaluate any string for SQLi. If you really need that, create your own custom threat signature to improve posture, or consider offloading such job to a dedicated web / app firewall.

 

Great read on creating custom threat signatures can be found in this tech note: https://live.paloaltonetworks.com/t5/Articles/Creating-Custom-Threat-Signatures/ta-p/58569

 

Regards

 

Luciano

  • 4300 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!