Re: [mod-security-users] Core rules and mysql comments
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Rya...@br...> - 2009-07-14 23:27:17
|
Hey Jeffrey, Can you please send an audit log example of these attack transactions? This will help with our analysis. A few points - 1) The SQLi rules use the t:removeComments transformation function to counter-evasion attempts that attackers use to intersperse comments into their payloads. This works to evade basic filters as the regexs wouldn't match while still maintaining functionally equivalent sql code. You could try and remove the this normalization function and retest. Another option might be to just add a new rule that specifically looks for these strings. There are some false positive concerns with weak sigs like "--" which is why we haven't included it. 2) In relation to the previous point about weak signatures, in our upcoming CRS 2.0 release, we are going to be using a more collaborative detection/anomaly scoring mechanism. With this new format, you will be able to have many sigs evaluate and contribute to a score and then you can set whatever threshold you wish for either logging/alerting and blocking. 3) If anyone finds rule evasions or problems, they should use our JIRA ticketing system so we properly track the issue - http://www.modsecurity.org/tracker/ Thanks. Ryan C. Barnett Director of Application Security Research Breach Security, Inc. Ryan.Barnett@Breach.com <blocked::mailto:Ryan.Barnett@Breach.com> www.Breach.com <http://www.breach.com/> ----- Original Message ----- From: Jeffrey Savoy <jr...@do...> To: mod...@li... <mod...@li...> Sent: Tue Jul 14 17:15:52 2009 Subject: [mod-security-users] Core rules and mysql comments Hello Running some quick sql injection tests against a PHP script with a mysql backend and I noted that the core modsecurity rules did not seem to be identify injections related to the various mysql comment syntaxes, eg closing an argument with ' and then adding "-- " or "/*" as mysql comments. While I can add my own rules, I was wondering why rules to stop ' -- and ' /* were not included in the core set? I suspect a performance or high false positives but thought that I would ask. Thank you! -Jeffrey Jeffrey Savoy, CISSP EnCE Information Security Officer University of Wisconsin-Madison 608-262-8369 |