Imperva Cyber Community

Expand all | Collapse all

working with .net sqlclient source application

  • 1.  working with .net sqlclient source application

    Posted 01-24-2020 08:21
      |   view attached

    Hi,

    Many MSSQL users I work with use the ".net sqlclient" source application to connect to their MSSQL servers.
    Often, their "source application" data, presented in SecureSphere, has a long variable string at the beginning. 
    For example -


    [aaaa-1111].net sqlclient data provider
    aaaa2222].net sqlclient data provider
    [bbbb1111].net sqlclient data provider
    [zzzzz-3333].net sqlclient data provider
    etc...

    Each time a user logs in, they may get a different variable.
    This makes profiling impossible since each connection is considered by SecureSphere to be from a different source app.
    Alert aggregation also suffers as the source app name cannot be aggregated, even though it's the same source app for all events.

    Any idea how to resolve this?



    #DatabaseActivityMonitoring

    ------------------------------
    Roee Sharon
    RSECURE
    ------------------------------


  • 2.  RE: working with .net sqlclient source application

    Imperva Employee
    Posted 01-24-2020 09:56
    Hi Roee,

    I am not aware of a way to work around this in the DAM arena. In the WAF arena we can do certain things like use plugins on URLs where a section of the URL changes, but not all of it, but this doesn't help you.

    Have you looked at what is actually being received by the MSSQL server? What I mean is, is the .net application prepending this different prefix to the Application name it reports to the SQL server? Or does the SQLserver only see the .net sqlclient data provider name without the prefix?

    ------------------------------
    Stefan Pynappels
    Escalation Engineer
    Imperva
    ------------------------------



  • 3.  RE: working with .net sqlclient source application

    Posted 01-28-2020 07:37
    Hi Stephan,

    I found some info from Microsoft , for example  - https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/data-tracing 
    As far as I can see the MSSQL server assigns this unique ID to each connection, and then the client sends this info as part of the connection string. That's where SecureSphere picks it up.

    I agree plugins would be perfect in this case.
    What can be done?




    ------------------------------
    Roee Sharon
    RSECURE
    ------------------------------



  • 4.  RE: working with .net sqlclient source application

    Impervian
    Posted 01-31-2020 12:41
    Why don't you try Text Replacement? Since it is the same source application it shouldn't be a problem. @Stefan Pynappels please correct me if I am wrong, don't wanna mislead here.




    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 5.  RE: working with .net sqlclient source application

    Impervian
    Posted 02-06-2020 05:07
    Hi Sabajete,

    I think, Text Replacement does not work because it can be applied only to Normalized Query, User Name or Application User Name as you can see below. On the other hand, the application name is gathered from login query if client application sends this information (I mean it is optional).



    ------------------------------
    cezmi çal
    technical expert
    Barikat Cyber Security
    ------------------------------



  • 6.  RE: working with .net sqlclient source application

    Posted 02-09-2020 10:23
    Cezmi is right, text replacement won't work in this case due to the mentioned reason.



    ------------------------------
    Roee Sharon
    RSECURE
    ------------------------------



  • 7.  RE: working with .net sqlclient source application

    Impervian
    Posted 02-10-2020 03:34
    Yes, it seems text replacement won't work.

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------