Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tom_barat
Participant

R80.10 Security Gatway IPS detects SQLi but not command injection

Hi,

I have a vulnerable web server behind a R80.10 Security gateway. I activated a strict IPS profile on the gateway.

When i use a machine in front of the firewall module to make simple attacks on the web server the FW properly detects and blocks SQLi attempts, but not command injection such as inserting " ;ls " in a field.

This behavior is exactly the same for https and http traffic.

Is there a specific feature to enable or specific configuration for the firewall to be able to block command injection attacks ?

Thank you in advance.

17 Replies
PhoneBoy
Admin
Admin

This is more of a Threat Prevention‌ question.

Have you opened a TAC case, by chance?

0 Kudos
tom_barat
Participant

Hi, thank you for moving the question to the appropriate location.
I don't even have enough privileges to see sk solutions so i don't think i can open support tickets, please let me know if i am mistaken.

0 Kudos
PhoneBoy
Admin
Admin

As a partner (based on the email address in your profile), I would think you could open support tickets.

You should have SK access at the very least.

In any case, have you looked into these protections?

Note that one of them is actually a "Core Protection" (enforced in the firewall versus IPS):

0 Kudos
tom_barat
Participant

I will try to open a support ticket.

The protections you showed are all in prevent mode in my IPS profile, the "core prevention" one is in drop mode.

0 Kudos
ED
Advisor

Hi,

Open IPS Protections, on your right side in the filter options for the Product filter select SQL Server. You will get around 21 currently protections. Are all of them set to Prevent for your profile?

Specially these:

Also double check IPS profile assigned for your gateways under Threat Prevention

0 Kudos
tom_barat
Participant

Thank you for your answer but i think you might have misread the question. SQLi is not the problem, these injections are properly blocked and the FW module behaves as expected for this type of attacks.

Command injection is the issue. However, i checked the command injection protections in IPS protections, and " command injection over HTTP" is indeed in prevent mode for the profile associated to my FW module.

0 Kudos
PhoneBoy
Admin
Admin

I checked with our team that works on IPS protections.

The protection is currently focusing more on other commands which can do more damage.

"ls" doesn't cause damage on it's own Smiley Happy

That said, we're working on updating the signatures to address this--expected timeframe is end of this week.

0 Kudos
tom_barat
Participant

Okay thank you, i guess i could have tried with " rm " or some "wget" to see what was happening.

Also the XSS attacks i tried were harmless js scripts containing " alert('hello'); " and they were blocked so i assumed it was the exploitation of the vulnerability that was blocked, regardless of whether this exploitation was harmful.

Anyway thanks for the info.

0 Kudos
PhoneBoy
Admin
Admin

FYI the protection this should trigger on is Command Injection over HTTP.

This signature should receive an update in the near future.

0 Kudos
tom_barat
Participant

Thank you for following up on this.

However i think i had an additional issue anyway, because  the IPS on my firewall module only detects URL-based attacks. An XSS attack where the script is contained in parameters of the request and not in the url will not be blocked.

I have to work on this.

0 Kudos
Omer_Shliva
Employee
Employee

Hi Tom, 

Please approach TOC with questions regarding protections.

Please make sure to attach relevant Pcaps.

TOC@checkpoint.com

Thanks.

0 Kudos
tom_barat
Participant

I would but as i discovered trying to do so, i also have a packet capture problem, where the FW module does not capture packets by default, and explicitely enabling it on my threat prevention policy not only does not work but also disables logging for all IPS protections.

I think i will need advanced help from the support, and probably a reinstall since my lab runs on vms with limited storage to install hotfixes.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

In VMs, if there is enough storage available, but not used for CP yet, please just follow sk94671 How to add hardware resources, such as log storage, to a VMware Virtual Machine running Gaia... .

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
tom_barat
Participant

Thank you for your  answer, i figured out this was the issue and fixed it in the meantime.

Maybe adding a quick warning that insufficient storage can break some features would be nice, as a total beginner i was under the impression the appliances would delete old logs as time went by, rather than keep accumulating logs and have broken features.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

There is an (configurable) automatism to rotate logs, but there is also a suggested free space needed for logging, depending on traffic load, active blades and logs generated. Every troubleshooting sessions first CLI command on SSH should be

# df

as full storage will make the system not work at all...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
tom_barat
Participant

Good to know, in my specific case i did enable log rotation but i guess i set the threshold too low. I will make sure to check free space requirements for each blade and set the threshold accordingly in case i run into obscure issues again.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

We have two concerns: A GW must have log rotation set to a value that leaves enough space for the FW to work. The SMS where the logs are sent to better gets a rather generous amount of free space and we have also to consider SmartEvent if used. The biggest advantage of SMS on ESX is that i am able to add storage whenever i need to, and that the storage is only used when needed (if conmfigured in that way).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events