2 Replies Latest reply on Jan 6, 2010 3:37 PM by steers02

    IPS SQL Signatures

      Hi guys,
      Has anyone had much experience with the IPS SQL signatures? I been testing them on a dev server and simulating SQL injections but I can’t get the rules to fire. To this end I’ve been working on some custom IPS signatures using TCL. But this technique only allow me to evaluate either the URL “http://myserver.com” or the QUERY part “?variable=variable” of the HTTP data . This is useful for checking the GET HTTP requests but I can’t see a way to checking the POST HTTP requests (data submitted from a form).

      This is an example of my problem. The command “METHOD” allows me the search for GET, POST requests but the next line where I search the HTTP request for a particular value (“hello”) I can only choose between URL or QUERY. So the data in the POST request seems to be hidden from me.

      Rule {
      tag "SQL Test"
      Class Isapi
      Id 4002
      level 4

      method { Include "GET" }
      query { Include "hello" }
      time { Include "*" }
      application { Include "*" }
      user_name { Include "*" }

      directives -c -d isapi:request
      }


      The HIP 7 documentation is very limited but most of the 6.x material is still relevant. The product guide for HIP 6.1 does have a “Writing Custom Signatures” section but doesn’t provide a great deal detailed of information.

      HIPS seems like a good products but it’s a bit thin on the ground for info, would be good to hear about other people experiences.


      Cheers,
      Simon.

      Our Setup:
      EPO 4.0 (patch 2)
      HIP 7 (patch 2)
      EPO Agent 3.6
      Server 2003
      SQL 2000
        • 1. Additional
          After my previous email I had a good dig around in the HIP client log files for more info. I come across a file called shield_db.txt which shows you a TCL output of all the IPS signatures. This is extremely useful for two reasons:

          One, it shows you all the classes used by IPS, including the un-documented SQL class. It also shows you additional directives or class operation. For example the documentations only references the isapi:request directive where there is actually an additional isapi:requrl directive.

          Two, it shows you when you should expect a trigger to fire. Have a look at the SQL signatures as you will notice some client_agent exclusions. This is key, if like me you expected to be protected by the default signatures.

          I’m still finding my feet with this product so anybody with any experience out there would be very useful.

          I would be extremely keen to here about anybody using regexp. The TCL code supports the command but I’m not sure which variables I can pass.


          Simon.
          • 2. Re: Additional
            steers02

            I am just beginning to work with custom signatures and would like to review the file you mentioned that contains the TCL for all the signatures.  However, I cannot find this file on my system.  Does anyone know if this file has been renamed or if there is another place to view the code for McAfee signatures?

             

            Thanks