08-25-2015 06:21 AM
Hi, we are receiving these tries about SQL injection but our Palo alto is not detecting it. How can we do that PA detect this SQLi????? we have updated the threats signatures.
Sql injection
GET /ficha-modelo?id=2&entidad=99999999%27%20oR%20%277%27=%277 HTTP/1.1" 500 59878 "-" "Mozilla/4.0
GET /ficha-modelo?entidad=!S!WCRTESTINPUT000000%3C%3E%3c%3e%253c%253e!E!&id=2 HTTP/1.1" 500 59878 "-" "Mozilla/4.0"
08-25-2015 06:35 AM
Yes its matching the correct policy.
08-25-2015 07:31 AM
No I am talking about the antivirus, antispyware, vulnerabiltiy profile are applied to the security rules?
08-25-2015 07:44 AM
we have the 3 security profiles assigned in the default config for this connection. What can we do in order to detect this SQLi???
08-25-2015 08:11 AM
typicall something that should be caught by a WAF/ReverseProxy that is fine tuned for specific customer needs, not a firewall or a IPS in my opinion.
08-25-2015 08:39 AM
You have to create security profile and apply them into the security rules
Objectes> Security profiles> Antivirus> clone default one and modify it accordingly.
Objectes> Security profiles> Anti-Spyware> clone default one and modify it accordingly.
Objectes> Security profiles> Vulnerability Profile> clone default one and modify it accordingly.
The default profiles are okay but you cannot modify them that'w why we need to clone them.
Now go to the Policies> Security> Open the security policy which is allowing the traffic and into that go to action call the above new profiles
08-25-2015 08:56 AM
Yes i know but PA doesnt have the specific siganture for this SQLi. We have everything enabled and its not being detected.
08-27-2015 01:42 PM - edited 08-27-2015 01:42 PM
Hi, COS,
SQLi will be the best effort, it will catch the most common attempts and will not evaluate any string for SQLi. If you really need that, create your own custom threat signature to improve posture, or consider offloading such job to a dedicated web / app firewall.
Great read on creating custom threat signatures can be found in this tech note: https://live.paloaltonetworks.com/t5/Articles/Creating-Custom-Threat-Signatures/ta-p/58569
Regards
Luciano
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
