> -----Original Message----- > From: Jon Paine [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 10, 2002 11:27 AM > To: 'Tomasz Polus'; '[EMAIL PROTECTED]' > Subject: RE: [ISSForum] Monitoring SQL injection on Server Sensor > > > > Tomasz. > > Just a quick question. How will you be able to tell on the > Server Sensor > whether an SQL query is legitimate or not...? The SQL syntax > will be correct > in both cases...
Well, my applications does not use SQL commands in URL queries with GET method. However, many attackers try to inject commands to SQL exactly that way. So we have for example a URL query: http://server/books.asp?descr=') UNION SELECT Field FROM Table WHERE (' or something similiar. So, I think monitoring URL queries for SQL keywords would do the job in my case (the risk is not so high). [...] > The third layer is to use RS to monitor the servers and also > the external > network segment for bad stuff. > > All of these are very good ideas. All of them cost money. Exactly - I cannot afford for the first two solutions, but fortunately I have RS SS. So, I think monitoring URL queries for SQL injection would not be very difficult to implement and many attacks would be traced. Therefore my question is, if someone has signatures of SQL injection attacks based on GET queries... Thank you for your answer, Jon, pozdrowienia ;-) Kind Regards, -- Tomasz Polus _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
