3.1.1 SQL/Protect Overview

Table of Contents Previous Next



When SQL/Protect is switched to either passive or active mode, the incoming queries are checked against the list of learned relations.
The most frequent technique used in SQL injection attacks is issuing a tautological WHERE clause condition (that is, using a condition that is always true).
A dangerous action taken during SQL injection attacks is the running of unbounded DML statements. These are UPDATE and DELETE statements with no WHERE clause. For example, an attacker may update all users’ passwords to a known value or initiate a denial of service attack by deleting all of the data in a key table.
3.1.1.2.1 Protected Roles
Monitoring for SQL injection attacks involves analyzing SQL statements originating in database sessions where the current user of the session is a protected role. A protected role is an Advanced Server user or group that the database administrator has chosen to monitor using SQL/Protect. (In Advanced Server, users and groups are collectively referred to as roles.)
Note: A role with the superuser privilege cannot be made a protected role. If a protected non-superuser role is subsequently altered to become a superuser, certain behaviors are exhibited whenever an attempt is made by that superuser to issue any command:
The statistic in column superusers of edb_sql_protect_stats is incremented with every command issued by the protected superuser. See Section 3.1.1.2.2 for information on the edb_sql_protect_stats view.
These statistics are accessible from view edb_sql_protect_stats that can be easily monitored to identify the start of a potential attack.
The columns in edb_sql_protect_stats monitor the following:
username. Name of the protected role.
superusers. Number of SQL statements issued when the protected role is a superuser. In effect, any SQL statement issued by a protected superuser increases this statistic. See Section 3.1.1.2.1 for information on protected superusers.
relations. Number of SQL statements issued referencing relations that were not learned by a protected role. (That is, relations that are not in a role’s protected relations list.)
commands. Number of DDL statements issued by a protected role.
tautology. Number of SQL statements issued by a protected role that contained a tautological condition.
dml. Number of UPDATE and DELETE statements issued by a protected role that did not contain a WHERE clause.
Note: SQL/Protect statistics are maintained in memory while the database server is running. When the database server is shut down, the statistics are saved to a binary file named edb_sqlprotect.stat in the data/global subdirectory of the Advanced Server home directory.
View edb_sql_protect_queries contains the following columns:
username. Database user name of the attacker used to log into the database server.
ip_address. IP address of the machine from which the attack was initiated.
port. Port number from which the attack originated.
machine_name. Name of the machine, if known, from which the attack originated.
date_time. Date and time at which the query was received by the database server. The time is stored to the precision of a minute.
query. The query string sent by the attacker.
The maximum number of offending queries that are saved in edb_sql_protect_queries is controlled by configuration parameter edb_sql_protect.max_queries_to_save.


Table of Contents Previous Next