Examples of SQLi attacks can be found on the OWASP wiki
. The underlying flaws enabling SQLi attacks are introduced when developers create dynamic database queries that include user input.
Remediating SQLi attacks involves fixing coding defects that allow user-supplied input that can contain malicious SQL from modifying the logic of the query. The OWASP wiki details some suggested defenses that application developers use to avoid introducing SQLi-enabling flaws.
The first step in dealing with SQLi exploits is detecting and investigating them. When under attack, the following questions are critical:
- When was I attacked?
- Where was I attacked?
- How widespread was the attack?
- Were any files or tables overwritten?
- Who is attacking me, and are others being attacked as well?
Using AlienVault USM to Detect SQL Injection Attacks
can help you detect these attacks and answer the questions above with several integrated security technologies including host-based IDS, network IDS and real-time threat intelligence.
Network IDS spotting SQLi
The built-in to AlienVault USM gives you the ability to monitor all connection requests coming to your web server, plus it includes built-in correlation directives to spot activity indicative of a SQLi. Since the threat landscape is always changing, the Network IDS signatures are updated weekly based on threat research conducted by the AlienVault Lab research team, so you can stay current on new attacks.
Host IDS detecting SQLi by watching file activity
USM also includes a so you can monitor activity locally on a server. In this case, the HIDS agent would be installed on the web server itself, parsing the logs on your Apache or IIS server. Again, the built-in correlation rules in AlienVault USM make it possible to detect activity consistent with SQLi attacks and alert you immediately. The AlienVault HIDS also monitors changes to files so you have visibility into which files and tables in your database were affected by the attack.
Here’s an example of the USM console displaying SQLi and the associated threat details:
List of Recent SQLi Events
Details about the Threat
Real-time Threat Intelligence from the AlienVault Open Threat Exchange
In addition, AlienVault USM uses real-time threat intelligence from the AlienVault ) to spot connections with known bad actors. These are known malicious hosts or attackers whose IPs have shown up in OTX because they attacked other OTX contributors, have been identified by other threat sharing services we use, or have been identified via independent research conducted by our AlienVault Labs team.
OTX data provides context to the IDS information and can increase your confidence that a threat detected is malicious, since the activity you are observing is from a known malicious host. In addition, USM combines and correlates input from HIDS, NIDS and OTX via its built-in Security Information and Event Management (SIEM) capabilities, giving you the full picture of threats in your environment.
AlienVAult USM provides a single console with the information you need to do fast and effective incident response. Learn more: