Highlighted
Dominick Absent Member.
Absent Member.
1161 views

Creating an Alert for SQL Injection Attack

Hello:

How can I create an alert via the ESM to alert me of a SQL Injection Attack such as this one:

http://dshield.org/diary.html?storyid=12127

I'd like to be alerted via email if one of the workstation on my Network tries to visit the posted criminal domain name/URL in the article above.

Thanks,

Dom

Labels (1)
0 Likes
Reply
4 Replies
srinivas.uppugo Absent Member.
Absent Member.

Re: Creating an Alert for SQL Injection Attack

Assuming you have an environment where all you web connections are via a web proxy and that you are sending your web proxy logs to ESM.

You could try creating a rule as follows

Conditions: RequestURL Contains "lilupophilupop.com/sl.php"

And under Actions > On First event > Send notification and in message $attackerHostName & event time, etc.

Copy this rule to your RealTimeRules folder.

Test your rule with an active channel and confirm if you see any hits.

0 Likes
Reply
Dominick Absent Member.
Absent Member.

Re: Creating an Alert for SQL Injection Attack

Thanks Srinivas

0 Likes
Reply
bbis11 Honored Contributor.
Honored Contributor.

Re: Creating an Alert for SQL Injection Attack

Hello Srinivas,

Your reply has been of great help. Can you please let me know where can i write rules to be defined in ArcSight ESM.

0 Likes
Reply
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Creating an Alert for SQL Injection Attack

Dear biswa bhusan biswal,

In Resource Editor U have Rules.There u can edit all Correlated alerts which perform some actions.

U can go for the Filters for Reports, Dashboards, Queries, Real Time Active Channels which is Simple.

See the Snap for Reference and Go through the ESM User Guide for Knowledge.

Thanks and Regards,

Balahasan.V

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.