[mod-security-users] Regular Expression and SQL Injection
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Regular Expression and SQL Injection
|
From: Vijay M. <vm...@vs...> - 2008-02-25 16:11:56
|
Dear All It's not very difficult to use a Backreference and create a rule to catch an SQL Injection attempt that uses 1=1 or 5=5 or 'vijay' = 'vijay'. Is there any way to use regular expressions to catch attempts like 34 > 2 or 12 between 4 and 100. We need regular expressions that can think instead that just match patterns. Is there anyone who is thinking of adding programming language constructs like an if statement into regular expressions. I believe that most web application attacks can only be detected if we use more and more powerful regular expressions. Why does Snort and Nessus have such poor support when it comes to regular expressions for determining web application attacks. I have seen lots of products that claim that they detect attacks like SQL Injection and XSS. Am I right in assuming that mod-security has the most extensive support for detecting web application attacks. Vijay Mukhi -----Original Message----- From: mod...@li... [mailto:mod...@li...] On Behalf Of Ryan Barnett Sent: Monday, February 25, 2008 7:53 PM To: Sebastian Kösters; Brian Rectanus Cc: mod...@li... Subject: Re: [mod-security-users] update from modsecurity-apache_1.9.4 tomodsecurity-apache_2.1.6? SecFilter search the entire inbound request transaction for the RegEx. In 2.x, you must specify a variable location. Take a look at the examples in the Core Rules (http://www.modsecurity.org/projects/rules/index.html) - SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*| !REQUEST_HEADERS:Referer "insert[[:space:]]+into" This rule lists the common variables that are inspected which includes the request URI, all request headers and any arguments while also excluding the Referer header (as it normally is a false positive). As for the regex, take a look at the 40 Generic Attacks Core Rules file as it includes many SQL Injection RegExs that are much more comprehensive that the examples ones from the 1.9 branch. -Ryan > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Sebastian > Kösters > Sent: Monday, February 25, 2008 9:09 AM > To: Brian Rectanus > Cc: mod...@li... > Subject: Re: [mod-security-users] update from modsecurity-apache_1.9.4 to > modsecurity-apache_2.1.6? > > found what failed. mod_unique_id was not loaded. i am sorry. > > one (for now) last question. > > with version 1.9.4 it was possible to do a very simple rule like > > SecFilter "insert[[:space:]]+into" > > i found nothing to create such a simple rule with 2.x > > Mit freundlichen Grüßen > > > Sebastian Kösters > > systems architect > Trade Haven GmbH > In der Steele 37, 40599 Düsseldorf > T +49 211 749659 14 mailto:sko...@tr... > F +49 211 749659 29 http://www.tradehaven.de > -------------------------------------------------------------------- > Geschäftsführer: Michael Heck | Oliver Wagner Handelsregister Düsseldorf: > HRB 53379 > > > > Brian Rectanus schrieb: > > This will audit log everything: > > > > SecAuditEngine On > > > > > > This rule will deny everything and log: > > > > SecAction "phase:2,deny,status:403,log,auditlog,msg:'DENY ALL TEST > RULE'" > > > > -B > > > > Sebastian Kösters wrote: > > > >> how must a rule look like to deny all traffic? With such a rule i could > >> check if something gets logged. > >> > >> Mit freundlichen Grüßen > >> > >> > >> Sebastian Kösters > >> > >> systems architect > >> Trade Haven GmbH > >> In der Steele 37, 40599 Düsseldorf > >> T +49 211 749659 14 mailto:sko...@tr... > >> F +49 211 749659 29 http://www.tradehaven.de > >> -------------------------------------------------------------------- > >> Geschäftsführer: Michael Heck | Oliver Wagner Handelsregister > >> Düsseldorf: HRB 53379 > >> > >> > >> > >> Brian Rectanus schrieb: > >> > >>> If you want to log everything, then set SecAuditEngine On. Otherwise > >>> > >> it will only log errors and any rules that match (you appear not to > have > >> any rules). > >> > >>> -B > >>> > >>> > >>> ----- Original Message ----- > >>> From: mod...@li... > >>> > >> <mod...@li...> > >> > >>> To: Robert Lount <ro...@ey...> > >>> Cc: mod...@li... > >>> > >> <mod...@li...> > >> > >>> Sent: Sat Feb 23 12:04:45 2008 > >>> Subject: Re: [mod-security-users] update from modsecurity-apache_1.9.4 > >>> > >> to modsecurity-apache_2.1.6? > >> > >>> thank you. > >>> > >>> i used the .mk files from another directory and it worked. > >>> > >>> But i have another Problem. > >>> > >>> the mod_security logs nothing. > >>> > >>> My config (for the moment) looks like this: > >>> > >>> SecRuleEngine On > >>> SecRequestBodyAccess On > >>> SecResponseBodyAccess Off > >>> > >>> SecDebugLog /var/log/apache2/modsec_debug.log > >>> SecDebugLogLevel 3 > >>> > >>> SecAuditEngine RelevantOnly > >>> SecAuditLogRelevantStatus ^5 > >>> SecAuditLogParts ABIFHZ > >>> SecAuditLogType Serial > >>> SecAuditLog /var/log/apache2/modsec_audit.log > >>> > >>> SecDefaultAction > >>> > >>> > >> > "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespa > ce" > >> > >>> With the 1.9.4 Version i allways saw if someone opened a Website in my > >>> Server. Now the logfile is empty. > >>> > >>> The Configuration is much more different to 1.9.4 i see. > >>> > >>> Mit freundlichen Grüßen > >>> > >>> > >>> Sebastian Kösters > >>> > >>> systems architect > >>> Trade Haven GmbH > >>> In der Steele 37, 40599 Düsseldorf > >>> T +49 211 749659 14 mailto:sko...@tr... > >>> F +49 211 749659 29 http://www.tradehaven.de > >>> -------------------------------------------------------------------- > >>> Geschäftsführer: Michael Heck | Oliver Wagner Handelsregister > >>> > >> Düsseldorf: HRB 53379 > >> > >>> > >>> Robert Lount schrieb: > >>> > >>> > >>>> Sebastian Kösters wrote: > >>>> > >>>> > >>>> > >>>>> Hi, > >>>>> > >>>>> i installed Apache2 + PHP5 on Ubuntu 6.06.2 LTS als Package some > >>>>> > >> time ago. > >> > >>>>> After that i installed mod_security 1.9.4 with apxs2 -cia "module". > >>>>> > >>>>> That worked fine. > >>>>> > >>>>> Today i noticed that there is a 2.1.6 Version existing and i wanted > to > >>>>> update mod_security. But that did not work. > >>>>> > >>>>> I tried the following: > >>>>> > >>>>> apxs2 -cia mod_security2.c > >>>>> > >>>>> that worked. > >>>>> > >>>>> it is also loades in the httpd.conf > >>>>> > >>>>> #LoadModule security_module > /usr/lib/apache2/modules/mod_security.so > >>>>> <- thats the old version 1.9.4 > >>>>> LoadModule security2_module > /usr/lib/apache2/modules/mod_security2.so > >>>>> > >>>>> When i now start apache with the new modul this error message comes: > >>>>> > >>>>> * Starting apache 2.0 web > >>>>> > >>>>> > >> server... > >> > >>>>> Syntax error on line 7 of /etc/apache2/httpd.conf: > >>>>> Cannot load /usr/lib/apache2/modules/mod_security2.so into server: > >>>>> /usr/lib/apache2/modules/mod_security2.so: undefined symbol: > msc_alert > >>>>> > >>>>> I also tried to do it like the manuel told me. > >>>>> > >>>>> libxml2 is installed and the pathes in the Makefile are correct. > >>>>> > >>>>> When i try to do "make" it i see this error: > >>>>> > >>>>> Makefile:40: /etc/apache2/build/special.mk: No such file or > directory > >>>>> make: *** no rule to mal /etc/apache2/build/special.mk > >>>>> > >>>>> Where do i get this file? Whats wrong? I have the latest apache2 > Version > >>>>> > >>>>> When i start apache with the old version of the Module everything > works > >>>>> fine again. > >>>>> > >>>>> I hope someone of you can help me. > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>> Do you have the apache2-<worker-version-here>-dev packages installed. > >>>> All my issues with make have had to do with either libxm2-dev or > >>>> apache-*-dev not being installed. > >>>> > >>>> I am currently running Ubuntu 7.10 server, and aside from shooting my > >>>> own foot with rules it seems to be working fine. Here are my > installed > >>>> versions of Apache and libxml2 > >>>> > >>>> i apache2-threaded-dev - development headers for apache2 > >>>> i A apache2-mpm-prefork - Traditional model for Apache > HTTPD > >>>> i A apache2.2-common - Next generation, scalable, > >>>> extendable web server > >>>> > >>>> i libxml2 - GNOME XML library > >>>> i libxml2-dev - Development files for the GNOME > XML > >>>> library > >>>> > >>>> > >>>> I hope this is a help and not an annoyance. > >>>> > >>>> Robert > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>> ---------------------------------------------------------------------- > --- > >>> This SF.net email is sponsored by: Microsoft > >>> Defy all challenges. Microsoft(R) Visual Studio 2008. > >>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > >>> _______________________________________________ > >>> mod-security-users mailing list > >>> mod...@li... > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>> > >>> > > > > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users |
