Following a sudden spike in SQLMap threats, I was looking at the default action for SQL injection threats and I noticed that it is is only an "alert" which seems odd for that kind of attack. Has anyone looked deeper into this and/or changed the action and is there a reason for this not being a reset/drop action?
Solved! Go to Solution.
While it is by deafult sert to alert, I found its best to block threats by Severity. As you can see by the picture, this Vulnerability Protection Profile, when added to a Policy, will reset the traffic so it cannot cause any damage:
I hope this makes sense.
We already reset Critical and high, but use the PAN default below that so the difference between your profile and ours is really just that you extend that down to medium.
I see you also use the default action for low and info which is probably for the same reason we do - some of the low and info threats are by default blocked which we found odd. The PAN severity classification seems a bit weird which is why I was asking if anyone knew a reason why SQL injection was only an alert by default - if the detection is robust I would expect this to be a block by default.
Leaving medium to default allows so much bad stuff through.
I have even low severety set to reset-both with only 3 manual exeptions in there for traffic sourcinf from wan and handful more for internal traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!