Default Action for SQL Injection Attacks

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Default Action for SQL Injection Attacks

L4 Transporter

Following a sudden spike in SQLMap threats, I was looking at the default action for SQL injection threats and I noticed that it is is only an "alert" which seems odd for that kind of attack.  Has anyone looked deeper into this and/or changed the action and is there a reason for this not being a reset/drop action?

1 accepted solution

Accepted Solutions

Hello,

I would recommend setting the medium to also reset or block. There are going to be some exceptions, at least there are in my environemtn so I had to create special exception cases for them.

 

Regards,

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello,

While it is by deafult sert to alert, I found its best to block threats by Severity. As you can see by the picture, this Vulnerability Protection Profile, when added to a Policy, will reset the traffic so it cannot cause any damage:

 

image.pngI hope this makes sense.

 

Regards,

Hi,

 

We already reset Critical and high, but use the PAN default below that so the difference between your profile and ours is really just that you extend that down to medium.

 

I see you also use the default action for low and info which is probably for the same reason we do - some of the low and info threats are by default blocked which we found odd.  The PAN severity classification seems a bit weird which is why I was asking if anyone knew a reason why SQL injection was only an alert by default - if the detection is robust I would expect this to be a block by default. 

Hello,

I would recommend setting the medium to also reset or block. There are going to be some exceptions, at least there are in my environemtn so I had to create special exception cases for them.

 

Regards,

OK thanks, I will look a bit closer at what other medium level threats we are seeing, with a view to doing that.

 

Many thanks

Leaving medium to default allows so much bad stuff through.

I have even low severety set to reset-both with only 3 manual exeptions in there for traffic sourcinf from wan and handful more for internal traffic.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thanks, I don't think I will go that far just yet, but have put medium to reset-both for spyware and vulnerabilities. 

  • 1 accepted solution
  • 19856 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!