Hi,

Is there any documentation that indicates how to implement policies to detect SQL injection (not just based on the number of errors)? Or indicate good practices for implementing rules? (Access to the database structure, typical SQLi expressions, etc.)

best regards

------------------------------
Chosko
------------------------------

Hi Chosko,

Have you seen the basic security monitoring policy included in Guardium (starting from v11.1)? It has a few rules pertaining to SQL injection. Also,  the active threat analytics in Guardium can detect SQL injection attacks.

Leila

------------------------------
Leila Johannesen
------------------------------

Original Message:
Sent: Fri September 25, 2020 10:05 AM
From: Chosko
Subject: SQL injection - policies

Hi,

Is there any documentation that indicates how to implement policies to detect SQL injection (not just based on the number of errors)? Or indicate good practices for implementing rules? (Access to the database structure, typical SQLi expressions, etc.)

best regards

------------------------------
Chosko
------------------------------

Hello Leila, thanks for your reply.
Are these rules available in previous versions (10.x)? I will investigate Threat Detection Analytics, thanks soo much.

------------------------------
Chosko
------------------------------

Original Message:
Sent: Fri September 25, 2020 12:38 PM
From: Leila Johannesen
Subject: SQL injection - policies

Hi Chosko,

Have you seen the basic security monitoring policy included in Guardium (starting from v11.1)? It has a few rules pertaining to SQL injection. Also,  the active threat analytics in Guardium can detect SQL injection attacks.

Leila

------------------------------
Leila Johannesen

Original Message:
Sent: Fri September 25, 2020 10:05 AM
From: Chosko
Subject: SQL injection - policies

Hi,

Is there any documentation that indicates how to implement policies to detect SQL injection (not just based on the number of errors)? Or indicate good practices for implementing rules? (Access to the database structure, typical SQLi expressions, etc.)

best regards

------------------------------
Chosko
------------------------------

Hi Chosko,

The basic security monitoring policy template is only available in 11.1 and onwards.
Also, the active threat analytics is also a feature from V11 onwards.

------------------------------
Leila Johannesen
------------------------------

Original Message:
Sent: Mon September 28, 2020 05:18 AM
From: Chosko
Subject: SQL injection - policies

Hello Leila, thanks for your reply.
Are these rules available in previous versions (10.x)? I will investigate Threat Detection Analytics, thanks soo much.

------------------------------
Chosko

Original Message:
Sent: Fri September 25, 2020 12:38 PM
From: Leila Johannesen
Subject: SQL injection - policies

Hi Chosko,

Have you seen the basic security monitoring policy included in Guardium (starting from v11.1)? It has a few rules pertaining to SQL injection. Also,  the active threat analytics in Guardium can detect SQL injection attacks.

Leila

------------------------------
Leila Johannesen

Original Message:
Sent: Fri September 25, 2020 10:05 AM
From: Chosko
Subject: SQL injection - policies

Hi,

Is there any documentation that indicates how to implement policies to detect SQL injection (not just based on the number of errors)? Or indicate good practices for implementing rules? (Access to the database structure, typical SQLi expressions, etc.)

best regards

------------------------------
Chosko
------------------------------

Hi Chosko,

I do not find any specific policy rule to identify the SQL-i. But you can configure the exception data security policy rule and configure the condition for "SQL ERROR " exception ex: 20 sql error in 5 minute. Also you can configure the alert for same rule and you can see it in policy violation report. 
Then to investigate the suspected SQL injection attack you can refer the below technote. This technote describes investigating a suspected SQL injection attack, using the threat diagnostic dashboard.

https://www.ibm.com/support/knowledgecenter/SSMPHH_11.2.0/com.ibm.guardium.doc/monitor/threat_diagnostic_investigating_sql.html

Thank you

------------------------------
Sachin Shende
Security Consultant
IBM
+91-9561-650-383
------------------------------

Original Message:
Sent: Fri September 25, 2020 10:05 AM
From: Chosko
Subject: SQL injection - policies

Hi,

Is there any documentation that indicates how to implement policies to detect SQL injection (not just based on the number of errors)? Or indicate good practices for implementing rules? (Access to the database structure, typical SQLi expressions, etc.)

best regards

------------------------------
Chosko
------------------------------

Hi Sachin,  thanks for your reply.
These kind of rules based only on SQL errors have a lot of false positives, in my case. I will investigate this feature. Thank you so much.

------------------------------
Chosko
------------------------------

Original Message:
Sent: Mon September 28, 2020 02:27 AM
From: Sachin Shende
Subject: SQL injection - policies

Hi Chosko,

I do not find any specific policy rule to identify the SQL-i. But you can configure the exception data security policy rule and configure the condition for "SQL ERROR " exception ex: 20 sql error in 5 minute. Also you can configure the alert for same rule and you can see it in policy violation report. 
Then to investigate the suspected SQL injection attack you can refer the below technote. This technote describes investigating a suspected SQL injection attack, using the threat diagnostic dashboard.

https://www.ibm.com/support/knowledgecenter/SSMPHH_11.2.0/com.ibm.guardium.doc/monitor/threat_diagnostic_investigating_sql.html

Thank you

------------------------------
Sachin Shende
Security Consultant
IBM
+91-9561-650-383

Original Message:
Sent: Fri September 25, 2020 10:05 AM
From: Chosko
Subject: SQL injection - policies

Hi,

Is there any documentation that indicates how to implement policies to detect SQL injection (not just based on the number of errors)? Or indicate good practices for implementing rules? (Access to the database structure, typical SQLi expressions, etc.)

best regards

------------------------------
Chosko
------------------------------