I seem to get a lot of notices for SQL Injection Victim with the Address field as an external IP, a lot of times Amazon, or another large host. Why is this finding “Victims” that are not in my internal network as defined in network.cfg?
Is there a way get this to only send notices when an internal host has an SQL attack?
If you've set those notices to email by default:
hook Notice::policy(n: Notice::Info)
{
if ( n$note == HTTP::SQL_Injection_Attacker && Site::is_local_addr(n$src)) {
n$actions=set();
break;
}
if ( n$note == HTTP::SQL_Injection_Victim && !Site::is_local_addr(n$src)) {
n$actions=set();
break;
}
}
Otherwise you could not add them to emailed notices and use the reverse policy to add the email action.