OSSEC for Sql injection attack
satish patel
move on mod_security
Is anybody out there who using ossec for sql injection ?
Thanks,
S
Steven Stern
(<smile>) be susceptible to it. mod_security has its own issues with
false positives.
--
-- Steve
Jeremy Lee
http://www.ossec.net/wiki/Samples_of_attacks_detected_by_ossec
I would think the only issue here is that OSSEC is *responsive* and will look for patterns from the logs post-occurrence. So if your app is vulnerable to SQL injection, theoretically, the attacker would get in on the first try but could be blocked (depending on how you setup the Active Response) from then on out.
Someone correct me if I'm wrong, but OSSEC may not be the best single tool to use to mitigate SQL Injection attacks. However, you can use OSSEC and ModSecurity together - ModSec would be setup to block the attack and OSSEC would be used to alert on any occurrences in the Apache/Modsec Logs.
Justin C. Klein Keane
Hash: SHA1
If you really want to stop SQL injection you need to update your
application code. Bolting on security will only buy you some wiggle
room, it won't solve the problem.
OSSEC is very good at recognizing keyword signatures in URL requests
after they are written to the log, but at that point the injection has
taken place. OSSEC is not an intrusion prevention system, it is an
intrusion detection system. An effective use of OSSEC would be to
detect potential SQL injection attacks so they can be investigated and
vulnerable code remediated or incident response can ensue.
Justin C. Klein Keane
Information Security and Unix Systems
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Room 520
Philadelphia, PA 19104
215.898.0236(p)
215.573.3166(f)
The digital signature on this e-mail may be confirmed using the
PGP key located at: http://www.sas.upenn.edu/computing/user/3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1K9w4ACgkQR4a3EW2yjlR57wCePVZP3SHyBtitAy/ntDXlethC
dssAmQEKhdItpVgzNttFZlPR1HBcmRC4
=JU8D
-----END PGP SIGNATURE-----
tanishk lakhaani
warm regards
Tanishk Lakhaani
Steven Stern
> Well, I think that deploying active response can be a good way out to
> prevent SQL Injection based attacks. However, there may be a few issues
> related to it viz..decoders in ossec are designed to indicate a SQL
> Injection attack even in case SELEC/UNION or any other SQL Based command
> is used in the Request. This may be a bit of hinderance, as it may be
> that the legitimate traffic is being blocked.
>
> I have already deployed Active Response in testing Environment, and post
> deplpyment , launched a NESSUS Scan, and to my surprise, Active Response
> turned out to be fantastic to prevent SQL Injection based attacks.
>
> Regards
> Tanishk
>
> On Fri, Feb 4, 2011 at 12:12 AM, Steven Stern
> wrote:
>
> On 02/03/2011 12:00 PM, satish patel wrote:
> > How efficient OSSEC is to stop SQL injection ? If not then i have to
> > move on mod_security
> >
> > Is anybody out there who using ossec for sql injection ?
> >
> >
> > Thanks,
> > S
> It's very good at detecting SQL injection, but your code shouldn't
> (<smile>) be susceptible to it. mod_security has its own issues with
> false positives.
>
> --
> -- Steve
>
>
mandatory XKCD reference: http://xkcd.com/327/
--
-- Steve
tanishk lakhaani
Jeremy Lee
Michael Starks
> I think his point is that one attack 'passing' through is enough. Think
> about it - if they can get an attack through that successfully commits a
> DROP TABLE statement, you're already in the black. Whether you've
> dropped them at that point or not doesn't really matter because they've
> accomplished what they wanted to do. On top of that, most hackers will
> be coming from multiple IPs if they really want to hack you - so drop
> one IP and move to the next. But every new IP the hacker uses, if he
> knows exactly what statement to issue, can do a lot of damage. So the
> real solution is to fix the vulnerable code. Otherwise, if the
> developers are unwilling, modsecurity would be the next choice (of
> course, the mitigation of 'code' is now in your hands...). If developers
> are unwilling to fix vulnerable code, it's not merely a problem of bad
> coding. It's more likely an issue of politics.
You bring up some very good points and of course you are exactly
correct. OSSEC is NOT a HIPS and it would be a mistake to think Active
Response is an effective way to ensure things like SQL injection flaws
cannot be exploited. What I can say--based on my "real world"
experience--is that Active Response does a pretty good job of preventing
breaches. All but the most sophisticated attackers will do some sort of
enumeration and there are rules in place to detect that, which can also
initiate an Active Response. Of course, these work best when layered
with things like mod_security. Another good reason to layer security
protection measures is that it's not unheard of to put something in
"look-but-don't-touch" mode and forget about it when troubleshooting a
problem. With just one layer, like OSSEC, you have nothing if it gets
turned off. But with multiple layers, there is at least something in
place to protect you.
Steven Stern
> Yes, the active response works on the basis of this only...When u
> launch a scan, a few attacks will acually pass thru, then only the agent
> will forward the corresponding logs to the OSSEC Server, who will then
> decide whether to use Active Response or not. Once the server decides to
> use active response, all the future attacks from the attacker IP will be
> prevented from being executed.....This is how active respone works.
>
> Btw, Steve, can u pls tell me how is the link that u have just
> circulated (the XKCD reference) is helpful to us ?
>
> Regards
> Tanishk
>
> On Sat, Feb 5, 2011 at 2:18 AM, Steven Stern
> wrote:
>
> On 02/04/2011 12:39 PM, tanishk lakhaani wrote:
> > Well, I think that deploying active response can be a good way out to
> > prevent SQL Injection based attacks. However, there may be a few
> issues
> > related to it viz..decoders in ossec are designed to indicate a SQL
> > Injection attack even in case SELEC/UNION or any other SQL Based
> command
> > is used in the Request. This may be a bit of hinderance, as it may be
> > that the legitimate traffic is being blocked.
> >
> > I have already deployed Active Response in testing Environment,
> and post
> > deplpyment , launched a NESSUS Scan, and to my surprise, Active
> Response
> > turned out to be fantastic to prevent SQL Injection based attacks.
> >
> > Regards
> > Tanishk
> >
> > On Fri, Feb 4, 2011 at 12:12 AM, Steven Stern
> > <subscrib...@sterndata.com
> <mailto:subscrib...@sterndata.com>
> <mailto:subscrib...@sterndata.com>>>
> > wrote:
> >
> > On 02/03/2011 12:00 PM, satish patel wrote:
> > > How efficient OSSEC is to stop SQL injection ? If not then i
> have to
> > > move on mod_security
> > >
> > > Is anybody out there who using ossec for sql injection ?
> > >
> > >
> > > Thanks,
> > > S
> > It's very good at detecting SQL injection, but your code shouldn't
> > (<smile>) be susceptible to it. mod_security has its own
> issues with
> > false positives.
> >
> > --
> > -- Steve
> >
> >
> Unfortunately, the first attack line probably gets through. By the way,
> mandatory XKCD reference: http://xkcd.com/327/
>
> --
> -- Steve
>
>
>
>
> --
> warm regards
> Tanishk Lakhaani
Exactly. The first injection connection can be bad. I have run systems
that were found to be vulnerable to SQL injection. OSSEC detected the
attack, but we were being hit from multiple IPs over a long time at a
low rate. Active response wouldn't have helped. We were able to use
OSSECs logs (and system logs) to figure out what scripts the attackers
were using. We took our systems off the internet, ran the same scans at
a high rate, and determined which parts of the system had not been
hardened against injection attacks. We then coded in a protection layer.
When we went back on the internet, OSSEC showed that the attacks
continued but without any success.
--
-- Steve
Michael Starks
> that were found to be vulnerable to SQL injection. OSSEC detected the
> attack, but we were being hit from multiple IPs over a long time at a
> low rate. Active response wouldn't have helped. We were able to use
> OSSECs logs (and system logs) to figure out what scripts the attackers
> were using. We took our systems off the internet, ran the same scans at
> a high rate, and determined which parts of the system had not been
> hardened against injection attacks. We then coded in a protection layer.
> When we went back on the internet, OSSEC showed that the attacks
> continued but without any success.
This is a great testimonial to how OSSEC can raise awareness. Without
something like OSSEC, most people are simply unaware of what is
happening. So this allowed you to focus on a particular area that was
problematic and fix it.
Jeremy Lee
Jeremy Lee
Satish Patel
place honeypot and fine tune ossec for SQL injection kind of attack.
--
Sent from my iPhone
On Feb 5, 2011, at 11:52 AM, Michael Starks <ossec...@michaelstarks.com
