[Bro] [bro] SQL InjectionVictim

Azoff, Justin S jazoff at illinois.edu
Sun Sep 18 18:51:53 PDT 2016


> On Sep 17, 2016, at 9:30 AM, Tim Desrochers <tgdesrochers at gmail.com> wrote:
> 
> I seem to get a lot of notices for SQL Injection Victim with the Address field as an external IP, a lot of times Amazon, or another large host.  Why is this finding "Victims" that are not in my internal network as defined in network.cfg?
> 
> Is there a way get this to only send notices when an internal host has an SQL attack?
> 

If you've set those notices to email by default:

hook Notice::policy(n: Notice::Info)
{
    if ( n$note == HTTP::SQL_Injection_Attacker && Site::is_local_addr(n$src)) {
        n$actions=set();
        break;
    }
    if ( n$note == HTTP::SQL_Injection_Victim && !Site::is_local_addr(n$src)) {
        n$actions=set();
        break;
    }
}

Otherwise you could not add them to emailed notices and use the reverse policy to add the email action.

-- 
- Justin Azoff




More information about the Bro mailing list