[Bro] [bro] SQL InjectionVictim
Azoff, Justin S
jazoff at illinois.edu
Sun Sep 18 18:51:53 PDT 2016
> On Sep 17, 2016, at 9:30 AM, Tim Desrochers <tgdesrochers at gmail.com> wrote:
>
> I seem to get a lot of notices for SQL Injection Victim with the Address field as an external IP, a lot of times Amazon, or another large host. Why is this finding "Victims" that are not in my internal network as defined in network.cfg?
>
> Is there a way get this to only send notices when an internal host has an SQL attack?
>
If you've set those notices to email by default:
hook Notice::policy(n: Notice::Info)
{
if ( n$note == HTTP::SQL_Injection_Attacker && Site::is_local_addr(n$src)) {
n$actions=set();
break;
}
if ( n$note == HTTP::SQL_Injection_Victim && !Site::is_local_addr(n$src)) {
n$actions=set();
break;
}
}
Otherwise you could not add them to emailed notices and use the reverse policy to add the email action.
--
- Justin Azoff
More information about the Bro
mailing list