Hello,


*** Sorry if this is a repeat, I had to join with my correct email!


We have found in our logs, some interesting formed .xml requests that are not normal to our system, and our system responded with SQL errors based the xml requests being wrong.  My question is, should Mod-Security caught these sort of parameters being passed, and if so how can it be made to do such.  This time, there was some malicious attempts against a resource that doesn't really contain sensitive data, but the next time it might, so we want to be able to use whatever is at our disposal to be sure we are safe.

 

I am also trying to learn more about the usage of mod security and how to update and account for issues like this with custom rule sets, is there a doc or guide that would be helpful in learning how to manage the mod-security rules and custom rules.

 

below are some of the xml examples that we saw in our logs from our web servers to our logic servers:

 

<SERVICE request_type="OrderStatus" session_id="qdgr.032206.901"><ORDER_STATUS_REPLY customer_name="1" error_msg="Exception encountered in addChildOrders: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &apos;&apos; /*!and 1=0 union select 1,2,3,4,5,6,7,unhex(hex(CONCAT_WS(CHAR(32,58,32),user(&apos; at line 1" master_merchant_id="9" master_merchant_name="10" merchant_id="7" merchant_name="xxxxx@<IP Address Masked> : <customer name here> : 5.1.47-rel11.2-log" merchant_uid="20" order_date="3" order_id="230053354&apos; /*!and 1=0 union select 1,2,3,4,5,6,7,unhex(hex(CONCAT_WS(CHAR(32,58,32),user(),database(),version()))),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23*/-- -" order_status="2" order_status_category_id="18" order_status_id="11" parent_econsignment_merchant_id="23" parent_master_ticket_id="22" receipt_add_text="21" receipt_url="19" sales_agent_id="12" sales_agent_name="13" sales_machine_id="15" sales_machine_name="16" ship_date="4" ship_method="14" ship_method_desc="5" status="OK" tracking_number="6"></ORDER_STATUS_REPLY></SERVICE>

 

<SERVICE error_msg="Exception: Incorrect key file for table &apos;/tmp/#sql_749d_1.MYI&apos;; try to repair it" request_type="OrderStatus" session_id="fkpm.031904.304"><ORDER_STATUS_REPLY error_msg="Exception: Incorrect key file for table &apos;/tmp/#sql_749d_1.MYI&apos;; try to repair it" status="FAILED"></ORDER_STATUS_REPLY></SERVICE>

 

 

<SERVICE __source="113.22.65.34" __ts="1288077513919" request_type="OrderStatus" session_id="mcea.031833.959" source_id="/192.168.16.103:52313"><ORDER_STATUS order_id="230053354&apos; /*!order by 1000*/-- -"></ORDER_STATUS></SERVICE>

 

 

Thanks for any help in advanced!

 

CMB