Tomasz. Just a quick question. How will you be able to tell on the Server Sensor whether an SQL query is legitimate or not...? The SQL syntax will be correct in both cases...
I suspect this will be very difficult to do. There are three phases as I see it. The first is to make sure your application validates all user input so that it is not possible to inject SQL. This would include preventing the use of wlidcards or metacharacters in some fields, validation of return parameters and variables, disabling the debug flag in the release version, etc, etc. This is very important (and difficult) to get right. The second is to deploy an application firewall (such as Sanctum) in front of the web server. This acts as a backup to your validation code (in case there are any bugs etc) and also to trap / monitor for the other attack vectors. The third layer is to use RS to monitor the servers and also the external network segment for bad stuff. All of these are very good ideas. All of them cost money. Some more than others. It entirely depends on the risk. If you have financial data / credit card details in the DB then the risk is high. If you are just protecting against soneone mangling less important data, the risk is much lower. One final point. There are lots of other vulnerabilities of web applications too. Don't just concentrate on SQL injection. Cookie poisoning / parameter tampering are potentially much more serious in a badly designed application. Also don't forget the internal users...! On the other hand if this *is* possible in RS with Server or Network Sensors, I'd be really interested too... #include <stddisclaimer.h> #include <sanctumdistie.h> Any questions please ask... Privately if you feel the response is not relevant to the list. Kind Regards, Pozdrowienia, Jon Paine. Technical Lead. Allasso European Support Centre. SMTP - mailto:[EMAIL PROTECTED] WEB - http://support.allasso.com Tel. 0870 366 8533 (+44 118 971 1533) Fax. 0870 366 8544 (+44 118 971 1544) PGP Fingerprint: ADD3 07AC ED47 292A BF61 E124 E81F 9249 7AD9 6E0C > -----Original Message----- > From: Tomasz Polus [mailto:[EMAIL PROTECTED]] > Sent: 07 December 2002 19:34 > To: [EMAIL PROTECTED] > Subject: [ISSForum] Monitoring SQL injection on Server Sensor > > > Hi, > > I have RS Server Sensor 6.5 on a Windows 2000 web server > (IIS5+SQL) and I would like to monitor any tries of SQL > injection to my SQL Server. Unfortunately, I haven't > found anything about it on the web... weird but true. > Can you suggest me some ways of deploying such protection > on RS SS? Maybe you could share some examples of signatures? > > Thank you very much for any help, > > -- > Tomasz Polus > > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo > Please note that: 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent. Allasso Ltd Theale House, Brunel Road, Theale, Berkshire RG7 4AQ UK T: +44 118 971 1511 F: +44 118 971 1522 _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
