[Bro-Dev] [JIRA] (BIT-1411) SQL_Injection_Victim is a misleading name

Seth Hall (JIRA) jira at bro-tracker.atlassian.net
Tue Sep 8 18:29:00 PDT 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-1411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22010#comment-22010 ] 

Seth Hall commented on BIT-1411:

I forgot to reply to the other half of Vern's original comment.  The intent for this detection being split into two like it is, is to enable some fancier detection and mitigations.  By splitting the detection in two we can actually detect a host being attacked even if every single attack is coming from a different IP address and generally knowing who the attacker is in that case is difficult.  Eventually the plan is to enable reactions to attacks by denying service quickly to external hosts with a greatly reduced threshold because presumably the host would only begin to be protected once it's under an ongoing attack.

> SQL_Injection_Victim is a misleading name
> -----------------------------------------
>                 Key: BIT-1411
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1411
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>            Reporter: Vern Paxson
> I suggest changing the name of this notice to {{SQL_Injection_Target}}.  Having "victim" in the name implies to me that the attack succeeded, which is not what the associated logic is about.
> Indeed, I even wonder if this notice is useful.  The information should be directly available from {{SQL_Injection_Attacker}} notices (though it doesn't appear to be currently set up to provide this - why not?).

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list