cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Venon
Level 7
Report Inappropriate Content
Message 1 of 8
‎08-21-2019 05:25 AM

Identifying XSS and SQL injection

Jump to solution

Hello Community

 

I found an old correlation rule which cover XSS where two events are specified:

144-1558044803

144-3098281784

Unfortunately I did not find nigher single fireup nor events with such SIDs hence started to wondering how they were identified. Is there any SID repository which will stated what these SID covers?

 

Would you recommend any way of creating rule for XSS or SQL injection attempt? I think the best way would be to monitor IPS traffic, but maybe there are any other ways?

Thanks for support!

0 Kudos
Reply
1 Solution

Accepted Solutions
David1111
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 8
‎08-22-2019 02:42 AM

Re: Identifying XSS and SQL injection

Jump to solution

Hi, first of all, you need to know that McAfee supports a lot of rules,

"but" in-order to work and trigger, you need to have a specific Technology in your Network...

so in-order to understand what is 144-1558044803,  144-3098281784

you need to look just on the numbers till the "- "

in are example - 144, when searching in the policy you could paste the 144 in the Device type ID field in the Advanced options (the right side of the policy GUI)

in your case its' a F5 - Data Source, to be more curate its' probable a F5-ASM (WAF) Data source log.

 

do you have such a data source in your environment?

if not, you could really disable the rule, because its' never going to trigger.

Best Regards👍👍👍

David.

View solution in original post

0 Kudos
Reply
7 Replies
David1111
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 8
‎08-22-2019 02:42 AM

Re: Identifying XSS and SQL injection

Jump to solution

Hi, first of all, you need to know that McAfee supports a lot of rules,

"but" in-order to work and trigger, you need to have a specific Technology in your Network...

so in-order to understand what is 144-1558044803,  144-3098281784

you need to look just on the numbers till the "- "

in are example - 144, when searching in the policy you could paste the 144 in the Device type ID field in the Advanced options (the right side of the policy GUI)

in your case its' a F5 - Data Source, to be more curate its' probable a F5-ASM (WAF) Data source log.

 

do you have such a data source in your environment?

if not, you could really disable the rule, because its' never going to trigger.

Best Regards👍👍👍

David.

View solution in original post

0 Kudos
Reply
Venon
Level 7
Report Inappropriate Content
Message 3 of 8
‎08-26-2019 05:03 AM

Re: Identifying XSS and SQL injection

Jump to solution

Hi David

 

Thank you very much for your input. Would you be able to make few screen shots where can I find this information as I cannot find it by myself.

 

Yes, we have F5 ASM and the BIG IP

0 Kudos
Reply
brenta
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 8
‎08-28-2019 03:37 PM

Re: Identifying XSS and SQL injection

Jump to solution

If you backend database is a Microsoft sql server a good indication there are SQL injections in your environment is a change in the number of query plans. Change in the number of plans also will happen when SQL servers are restarted, or where there are other application changes, such as a patch or whatnot. Likely you want to be notified of these events anyways so it is often a good use case for finding these kinds of attacks.

This is SQL injections of the type that are making it to your backend, not random attempts against web servers that are correctly filtering the attempts.

Brent
0 Kudos
Reply
Venon
Level 7
Report Inappropriate Content
Message 5 of 8
‎10-17-2019 02:21 AM

Re: Identifying XSS and SQL injection

Jump to solution

Hi David

Could you advice me where can I find this policy to find out what specific SID covers like you advised?

0 Kudos
Reply
Venon
Level 7
Report Inappropriate Content
Message 6 of 8
‎10-17-2019 02:22 AM

Re: Identifying XSS and SQL injection

Jump to solution

Hi David

Could you advice me where can I find this policy to find out what specific SID covers like you advised?

0 Kudos
Reply
Mm12uu12ss11aa
Level 7
Report Inappropriate Content
Message 7 of 8
‎08-28-2019 03:44 PM

Re: Identifying XSS and SQL injection

Jump to solution
 
0 Kudos
Reply
Mm12uu12ss11aa
Level 7
Report Inappropriate Content
Message 8 of 8
‎08-28-2019 03:49 PM

Re: Identifying XSS and SQL injection

Jump to solution

Mu330k@gmail.com

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC