Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sandy2810
New Contributor

Created on ‎03-26-2013 12:37 AM

Fortigate UTM IPS fails to detect SQL Injection attacks.

Hi Everyone, I am finding it difficult to comprehend why our Fortigate IPS fails to detect SQL injection attacks. Our Cisco IPS however detects these kind of attacks. Initially I thought that the alerts generated by Cisco IPS are false positives, however I was wrong. It correctly detected the SQL injection attempts that I made to confirm the validity of the alert. The weird part is our Cisco IPS has outdated IPS signatures yet it detects such attacks and Fortigate with the latest IPS signatures fails to. Any explanation to the above issue will be interesting. Regards
8222
0 Kudos
5 REPLIES 5
emnoc
Esteemed Contributor III

Created on ‎03-26-2013 07:30 AM

Does the cisco list the cvss value and is the attack signature a commonly known attack? Once you find out the attack signature ( eg nessus id ), you can review your FGT to ensure that signature is enabled in your IDS/IPS sensor. It can' t detect something that' s not enabled.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1730
0 Kudos
sandy2810
New Contributor
In response to emnoc

Created on ‎03-26-2013 10:59 PM

Cisco does not list the cvss value but it has the Signature ID 5930. You may google it for more details on the signature. This attack signature should be a known attack in my opinion. I have enabled medium,high and critical signatures on FGT. I scanned for SQL injection related signatures and found them enabled on FGT. The thing that bothers me is I tried the attack using firefox plugin SQL InjectMe, FGT failed to detect it whereas Cisco IPS detected the attempt.
1730
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎03-27-2013 08:15 AM

ID 5930
So you will need to query your active enaged signature and you might want to query your ips database http://www.fortiguard.com/updates/ips.html e.g get system status ( to validate your signature db ), if your datebase is not up2date, than push or pull a update. And then query the signature in your UTM >intrusion > ips sensor and make sure it' s applied. Once again, if the signature is not apply than it can identified the atatck

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Preview file
82 KB
1730
0 Kudos
sandy2810
New Contributor
In response to emnoc

Created on ‎03-28-2013 12:06 AM

The IPS database on FGT is latest. I have enabled all signatures related to SQL but it would still not detect the attack. I would probably relate this behavior to a buggy FortiOS version 5. Heard a lot from the industry that this particular version is not stable yet. Dont quite understand why Fortinet had to release it when it had so many bugs. Whats your take on this? Regards
1730
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎03-28-2013 06:30 AM

Not running v5 on anything production outside of a FWF60D for my home/lab. So I can honesty make a comment. For the signatures, you will need to look at mssql-xss-injection or mysql-xss-injection or something like. Than to confirm the signature triggers, use something like Nessus to test a host and see you get an alert. Set the alert for log and no blocking.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1730
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.