Hello Community
I found an old correlation rule which cover XSS where two events are specified:
144-1558044803
144-3098281784
Unfortunately I did not find nigher single fireup nor events with such SIDs hence started to wondering how they were identified. Is there any SID repository which will stated what these SID covers?
Would you recommend any way of creating rule for XSS or SQL injection attempt? I think the best way would be to monitor IPS traffic, but maybe there are any other ways?
Thanks for support!
Solved! Go to Solution.
Hi, first of all, you need to know that McAfee supports a lot of rules,
"but" in-order to work and trigger, you need to have a specific Technology in your Network...
so in-order to understand what is 144-1558044803, 144-3098281784
you need to look just on the numbers till the "- "
in are example - 144, when searching in the policy you could paste the 144 in the Device type ID field in the Advanced options (the right side of the policy GUI)
in your case its' a F5 - Data Source, to be more curate its' probable a F5-ASM (WAF) Data source log.
do you have such a data source in your environment?
if not, you could really disable the rule, because its' never going to trigger.
Best Regards👍👍👍
David.
Hi, first of all, you need to know that McAfee supports a lot of rules,
"but" in-order to work and trigger, you need to have a specific Technology in your Network...
so in-order to understand what is 144-1558044803, 144-3098281784
you need to look just on the numbers till the "- "
in are example - 144, when searching in the policy you could paste the 144 in the Device type ID field in the Advanced options (the right side of the policy GUI)
in your case its' a F5 - Data Source, to be more curate its' probable a F5-ASM (WAF) Data source log.
do you have such a data source in your environment?
if not, you could really disable the rule, because its' never going to trigger.
Best Regards👍👍👍
David.
Hi David
Thank you very much for your input. Would you be able to make few screen shots where can I find this information as I cannot find it by myself.
Yes, we have F5 ASM and the BIG IP
If you backend database is a Microsoft sql server a good indication there are SQL injections in your environment is a change in the number of query plans. Change in the number of plans also will happen when SQL servers are restarted, or where there are other application changes, such as a patch or whatnot. Likely you want to be notified of these events anyways so it is often a good use case for finding these kinds of attacks.
This is SQL injections of the type that are making it to your backend, not random attempts against web servers that are correctly filtering the attempts.
Hi David
Could you advice me where can I find this policy to find out what specific SID covers like you advised?
Hi David
Could you advice me where can I find this policy to find out what specific SID covers like you advised?
Mu330k@gmail.com
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA