SQL Injection detection with IDS/IPS on cisco ASA?

Similar Messages

• VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)

  Hi,  I've been pulling my hair out trying to get simple vlan trunking working between these devices.
  Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200.  I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc).   Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
  VLAN 1 - inside (has separate dhcp scope assigned by ASA)
  VLAN 99 - guest (has separate dhcp scope assigned by ASA)
  SG200
  purpose
  ASA 5505 (Sec Plus license)
  purpose
  g2
  Trunk 1UP,99T
  Ubiquiti AP (VLAN 1 works, VLAN 99 does not
  g3
  Access port 99T
  vlan 99 does not work
  g8
  Trunk 1UP, 99T
  < Trunk between switch and ASA >
  Int e0/2
  switchport trunk allowed vlan 1,99
   switchport trunk native vlan 1
   switchport mode trunk
  Int e0/3
  switchport trunk allowed vlan 1,99
   switchport trunk native vlan 1
   switchport mode trunk
  Second ubiquiti AP
  Both VLAN 1 and VLAN 99 clients work properly

  Frustrated - yes.  Confused - maybe not as much, but I could have put some more effort into the overall picture.
  There are two VLANs (1 - native) and (99 - guest).   There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.    
  No clients connected to the SG200 on VLAN 99  are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP.   The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
  Anything connected to the SG200 on the native VLAN works properly.
  Anything connected to the ASA VLANs (1 or 99) works properly
  I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
  I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
  SG200 g2 - trunk port (1UP, 99T) -- Access Point
  SG200 g2 - access port (99U)
  SG200 g8 - trunk port (1UP, 99T)  connected to ASA5505  e0/3  
  ASA5505 e0/3  (switchport trunk allowed vlan 1,99,  switchport trunk native vlan 1,  switchport mode trunk)
  Thanks,

• SQL Injection threat with APEX developed applications

  We are using a tool, HP WebInspect, to scan some of our APEX developed applications for web application security testing and assessment. We are getting some critical and high vulnerabilities identified (see below) and would like to know if someone else has encoutered these and to determine a solution, whether it be a setting/settings within APEX or is it more related to the application and the way it was developed.
  Critical:
  Possible SQL Injection
  File Names: • https://xxx.edu:443/pls/apex/f?p=4550:1:36080644498857::NO:4::&success_msg=If+7
  77-777-1911form%40value777.com+exists+in+our+records'+OR%2cwe+will+send+the+workspace+name
  s+associated+with+this+email+address.+If+you+are+having+problems+receiving+the+workspace+name
  s%2cplease+contact+your+administrator.%2fC34A0EF5494AB92C95AA4D0F7BF52332%2f
  • https://busaff-test.utdallas.edu:443/pls/apex/f?p=4550:1:36080644498857::NO:4::&success_msg=If+7
  77-777-1911form%40value777.com+exists+in+our+records%2cwe%2bwill%2bsend%2bthe%2bworkspace
  %2bnames%2bassociated%2bwith%2bthis%2bemail%2baddress.%2bIf%2byou%2bare%2bhaving%2bprob
  lems%2breceiving%2bthe%2bworkspace%2bnames'%2bOR%2cplease+contact+your+administrator.%2fC3
  4A0EF5494AB92C95AA4D0F7BF52332%2f
  High:
  Possible Username or Password Disclosure
  File Names: • https://xxx.edu:443/pls/apex/f?p=104:101:1328157658320206:&notification_msg=Invali
  d%20Login%20Credentials/156F2A38AC41E25732821ABED8AA98B6/
  • https://xxx.edu:443/pls/apex/f?p=104:101:2360963243212364&notification_msg=Invali
  d%20Login%20Credentials/156F2A38AC41E25732821ABED8AA98B6/

  You can help us by telling us your first name, putting it into your profile, and by selecting a friendlier handle.
  The details you showed indicate no SQL injection possibilites whatsoever. The "Critical" examples also are unrelated to Application Express applications that you may have developed (application 4550 is the login application for the product itself and should rarely be used by end users in production environments).
  Scott

• Detect attack man in the middle with IDS/IPS

  Hi,
  I have aip-ssm 20, IPS Version 7.0(6)E4
  The ID  signature 7101, 7102, 7104 and 7105 is used for detecting attack arp poison.
  The sensor works as IDS in promiscuous mode. All traffic is fordwared to sensor.
  I have made attack man in the middle with cain & abel but sensor doesn't send alarm. I attach image with signatures.
  Why don't sensor detect attack? The network is in zone inside.
  Can anybody help me, please?

  Did you check if SSM is getting those packets by running "packet display .." command on the sensing interface. In SSM the ARP packets would not be forwarded by ASA to the SSM.
  thx
  Madhu

• How do I rewrite destination IP with another public on Cisco ASA?

  We have a vendor having issues with their load balancer and are not responsive with tech support to us.  They are handing out 2 DNS entries, one works, one does not.  I would like to rewrite the bad one with the good one on our ASA outbound to band aid the issue until we can get resolved with their tech support.  What is the appropriate NAT statement?

  8.3 uses the new NAT configuration.
  This link provides a good overview of the relationship between the old NAT and new NAT statements:
  https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
  What exactly are you trying to "band aid" is it the DNS requests?
  If you are running version 8.3 or higher, you could try something like the following:
  object network BAD-DNS
    host x.x.x.x
  object network GOOD-DNS
    host y.y.y.y
  object network LAN
    subnet z.z.z.0 255.255.255.0
  nat (inside,outside) source static LAN LAN destination static BAD-DNS GOOD-DNS
  pre 8.3, i think the commands are like this:
  access-list DNS permit ip z.z.z.0 255.255.255.0 host x.x.x.x
  static (inside,outside) y.y.y.y access-list DNS
  Please remember to select a correct answer and rate helpful posts

• SQL injection hacks

  Hi,
  i am a bit disappointed by the ability of cisco IPS to block sql injections, even with the new added generic sql injection signatures not long ago, still websites hosted with us are being hacked.
  i know its vulnerabilities in the sites, but the command update is a lot used to hack sites, i have created a custom signature that catches "update" in small and caps, but i was surprised yesterday that the hacker used "u%pdate" and it bypassed the sensor !!
  any thoughts on the subject
  thanks

  Interesting. I'm so not a SQL expert, but I don't see how "u%pdate" is valid SQL. Why would the database interpret "u%pdate" as valid SQL? Is the application cleaning up the input before passing to the db?
  IMHO, if your customers have vulnerable apps, then they need to fix them. A network based IDS simply isn't going to be the best at detecting every possible variation of injection (or anything else imo, but that's a whole different soap box). It just doesn't have the required context. Throw TLS into the mix, and most of the time coverage drops to zero.

• Which IDS/IPS module for 10 GB WAN/LAN

  I have a question about present scenario in a network where the wan connectivity is 4 GB and Lan network is 10 GB. The firewall for the WAN is cisco 5580-20 with 10 GB ethernet interface and on the LAN 6500 series switch with 10 GB ethernet module. The issue about how to implement IPS in this network. Because cisco 5580 series firewall doesn't support any IPS module even 6500 series switch support IDSM-2 module. But only for 2 GB ethernet module. So what can be the solution for such a network?

  On a machine that can do 10Gb firware rate, it is well advisable to have your IDS/IPS to be a separate box.  IDS/IPS "cost" alot of CPU power.  It gets more expensive when you are talking about pushing beyond 1Gb.  This is why you'll find several forums stating that if you have a firewall with 10Gb speed, separate IDS/IPS is the way to go.  Otherwise, a firewall with IDS/IPS will not necessarily push 10Gb all together.

• Does getting a Smartnet contract also give you IDS/IPS signature updates?

  A client of mine is looking into getting an ASA5510 with AIP-SSM module. I realize that with IDS/IPS systems, it is *crucial* to always keep signature files up-to-date. Does purchasing the Smartnet contract for the bundle give me signature file updates or is there some other package I need to buy?
  I see references to "Cisco Services for IPS" but that seems to be mainly for router/IOS-based firewall/IDS packages.

  There is not a Smartnet contract for the ASA/AIP-SSM bundle.
  The only SmartNET contract for SSM bundles are with the CSC-SSM and not the AIP-SSM.
  When purchasing an ASA/AIP-SSM bundle you will need to purchase a bundle maintenance contract. The bundle maintenance contracts are Cisco Service for IPS contracts and include the signature support for the AIP-SSM as well as the software and hardware support on both the AIP-SSM and ASA (the software and hardware support is what it is normally part of SmartNET).
  For the bundles you will want to purchase a Cisco Service for IPS maintenance contract using one of the following part number formats:
  CON-SUw-ASxAyKz
  The "w" will be either 1,2,3, or 4 depending on the level of service.
  The "x" will be either 1 for the 5510, 2 for the 5520, or 4 for the 5540.
  The "y" will be either 10 for the AIP-SSM-10, or 20 for the AIP-SSM-20.
  The z will be either 8 or 9 depending on the encryption level.
  So for example:
  CON-SU2-AS2A20K9 - Would be 8X5X4 support for the ASA-5520 bundled with the AIP-SSM-20 with the higher encryption.
  NOTE: There are also SP contracts for purchase by Service Providers that follow a slightly different format.
  There are a few users who have purchased the ASA and AIP-SSM separately.
  When purcahsed separately you would need to purchase a SmartNET contract for the ASA, and a separate Cisco Service for IPS maintenance contract for the AIP-SSM.
  The AIP-SSM maintenane contract will be in the following format:
  CON-SUw-ASIPyK9
  The "w" will be either 1,2,3, or 4 depending on the level of service.
  The "y" will be either 10 for the AIP-SSM-10, or 20 for the AIP-SSM-20.
  So for example:
  CON-SU2-ASIP20K9 would be 8X5X4 support for the AIP-SSM-20.
  What you will find is that purchasing a separate SmartNET for the ASA and Cisco Service for IPS for the AIP-SSM will be more expensive than purchasing a single Cisco Service for IPS for the ASA/AIP-SSM bundle. This is because there is a discount when purchasing by the bundle.

• Is cfinsert and cfupdate open to SQL Injection

  Hello All,
  I'm looking for a real answer on if cfinsert and cfupdate are vulnerability to SQL Injection. The closest thing I can find from Adobe is Ben Forta's Personal recommendation. I was hoping to find some form of "official note" in the live docs to indicate there is a SQL Injection issue with cfinsert  - cfupdate. (Other than someone's post  to Ben's Blog)
  http://www.forta.com/blog/index.cfm/2006/10/3/Use-CFINSERT-And-CFUPDATE
  In this forum I have seen this question asked, and the only answer is "You should validate your inputs". Yes, you should, but that does not answer the question of if cfinsert and cfupdate is vulnerability to SQL Injection.
  I have found this blog entry that if I interpret is correctly from his findings cfinsert and cfupdate where only vulnerability to SQL Injection IF you did not give  cfinsert  - cfupdate the list of fields to take action on. -Is this true?
  http://blog.securityps.com/2009/05/demystifying-cfinsert-sql-injection.html
  Also, on a closely related note, is cfinsert  - cfupdate on ColdFusion 9 also vulnerable? If so, why? Seems like a BUG that could be easly addressed by the CF server team.
  Thank you,

  I do agree with you here.  But to be devil's advocate for a second: the same could be said of <cfquery>.  One has to take additional measures to ensure the same vulnerabilities are mitigated with that.
  I'm not sure that it's really news that these two tags are not the most well-thought-out features in the CF arsenal, and if you listen to most opinions in the community regarding <cfinsert> and <cfupdate>, it's: "don't use them".
  They're great for quick and dirty insert/update processes in internal or test code, but I'd never use them in production.
  It also remains a fact that any external input (form fields, URL param) must be validated as being kosher and within expected margins before they're used in any way.  That is just common sense.  And if one neglects to do that: one brings any eventuality onto one's self.  The problem here really is with people not doing their "due diligence" on externally sourced data, not specififcally with <cfinsert>, <cfupdate> or <cfquery>.
  Still: I think Adobe should make it more clear in the docs that additional measures need to be take to make them safe.  And by that time... one might as well use a <cfquery> to do the SQL.
  Adam

• Configuring Cisco ASA for site to site VPN ( Issue with setting up local network)

  OK, so our primary firewall is a checkpoint gateway. Behind that we have a cisco ASA for vpn users. I have a project at the moment where we need to connect to another company using site to site VPN through the cisco ASA, as the checkpoint gateway is unable to establish a permanent tunnel with the other companies Cisco ASA.
  What would be the best practise for setting up the local network on my side? Create the network on the ASA and then use a L2 vlan to connect to the Core switch? 
  Setup a L3 interface on the core switch and point it towards the checkpoint gateway which would then point to the ASA?
  When you have to select your local network through the site to site wizard do you have to put the inside network address of the ASA?
  Our network is setup like this: Access layer switch > Core 6500 Switch > Checkpoint-Firewall > Internet
  The ASA is connected to a checkpoint sub interface
  Any help would be beneficial as im new to cisco ASAs 
  Thanks
  Mark

  Mark
  If we understood more about your environment we might be able to give you better answers. My initial reaction was similar to the suggestion from Michael to use a L2 vlan. But as I think a bit more my attention is drawn to something that you mention in the original post. The ASA is there for VPN users. If the VPN users need to access your internal network then you probably already have something configured on the ASA that allows access to the internal network. Perhaps that same thing might provide access for your site to site VPN?
  HTH
  Rick

• Cisco ASA models features

  Hi,
  I am little confused with different models of Cisco ASA Firewalls.  I am trying to understand the real benefit of ASA Next-GEN ASA Firewalls. I understand the next-gen has visibility up to layer 7 but:
  - with CX the previous gen of ASA Firewall had same or similar capability?
  - Is CX removed from Next-Gen FW?
  - Is AVC something apart from CX and new featue in the Next-Gen FW?
  - What is the real advantage of upgrading to next-gen FW from older gen ASA Firewalls? 
  Thanks

  Next Generation Firewall (NGFW) is partly a marketing term. Wikipedia has a definition (as does Gartner and a host of others). Typically it's understood to mean something more than a simple stateful firewall that only looks at packets up to the TCP session level.
  Cisco ASA has had add-on features for years like IPS modules and the ability to use Identities in access-lists that could arguably called NGFW. More recently they had the CX module (now Approaching End of Sales). It had several NGFW features including AVC, Web Security Essentials (WSE) and IPS.
  The current product lineup include the FirePOWER modules with technology acquired from Sourcefire being developed and integrated into the Cisco security portfolio, including ASAs. Those also have AVC (basically the ability to look deep into a flow and determine application-specific (or even "microapplication") information. You leverage that with the addition of IPS, Web filtering and/or Advanced Malware Protection (AMP) licenses on the FirePOWER modules.
  The advantage is that you are able to protect your enterprise from modern-day threats. With the vast majority of malware being exploits from web pages (or at least carried over http/https), the traditional firewall with a rule allowing, say, only http from inside clients does nothing to protect against those threats. Client side anti-malware software can help, but it may be too late once the malware has been identified. 

• Cisco ASA xlate limit resource

  Hi!
  I have the problem with resource limitation on Cisco ASA.
  I want to set the limit for xlates as a percentage, not as an absolute value. But I can't do it.
  As I can see the output of command syntax, then this feature should be maintained:
  ASA(config-class)# limit-resource xlates ?
  class mode commands/options:
    WORD  Value of resource limit (in <value> or <value>%)
  But I'm getting error when try to set value in %:
  ASA(config-class)# limit-resource xlates 50%
  ERROR: Capacity unknown for this resource type
  ASA(config-class)# limit-resource xlates 50.00%
  ERROR: Capacity unknown for this resource type
  Is it possible to limit xlates as a percentage?
  What should I do to set this value as limit of default xlate?
  Thanks in advance

  Hi Igor,
  The percentage can only be used for resources which have a hardcoded system limit. For resources that do not have a system limit, you cannot set the percentage (%); you can only set an absolute value.
  The xlates can be created upon how much memory you have, you might be able to see the option for it, but it is only for resources, which have a definite number.
  Thanks,
  Varun

• HA between a Cisco ASA 5520 and a Cisco ASA 5525-X

  Hi all!
  we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
  We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
  Best regards for all,

  You cannot make a 5520 establish failover with the mate being a 5525-X.
  1. The configuration guide (here) states:
  The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
  2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above.

• SQL injection recon detection

  Why are there no vendor provided signatures that detect SQL injection reconnaissance? I recently did an internal pen test and it reminded me again of this deficiency. I've been meaning to write my own for the longest time, but frankly...why should I need to? It is simply amazing to me that I can throw standard SQL injection tests at a web app and our network IDS is "blind" to them.
  http://ha.ckers.org/sqlinjection/

  I agree in the sense that the SQL Signature set of ASA IPS is a bit poor. If it can help someone, I've wrote my oun signature in order to catch an attacker. It's working fine, and I think that is easy to modify.
  signatures 60000 0
  alert-severity medium
  sig-fidelity-rating 75
  sig-description
  sig-name CHZ SQL Injection
  sig-string-info CHZ SQL Injection
  sig-comment SQL Injection written by CHZ
  exit
  engine string-tcp
  event-action produce-alert|deny-packet-inline|reset-tcp-connection
  regex-string ([Dd][Ee][Cc][Ll][Aa][Rr][Ee])\%20\@.\%20([Vv][Aa][Rr][Cc][Hh][Aa][Rr])(.*);([Ss][Ee][Tt])\%20\@.=([Cc][Aa][Ss][Tt])
  service-ports #WEBPORTS
  exit
  alert-frequency
  summary-mode summarize
  exit
  exit
  status
  enabled true
  exit
  specify-mars-category yes
  mars-category DoS/WebServer
  exit
  exit
  Best Regards
  Chz

• ARP Poisoning & Cisco IDS/IPS Solutions

  I am trying to find out if someone familiar with Cisco's IDS/IPS (network and/or host-based) solutions can tell me if the product(s) can identify and/or prevent ARP poison routing attacks. If so, does it require customizing signatures or is there out of the box detection signatures?
  Thanks for any information

  There are some. Go here and do a search for "arp":
  http://tools.cisco.com/security/center/search.x?search=Signature
  Perhaps it goes without saying, but remember that the sensor has to see the relevant layer 2 traffic for these to work.