[mod-security-users] (no subject)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] (no subject)
|
From: jacky m. <jac...@li...> - 2009-02-08 18:12:18
|
woundering if you could provide some help or guidence my two questions
are:
The following ModSecurity rule is
part of the default rule set and is used for blocking SQL injection attacks.
Briefly explain the rule
SecRule
REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer
"@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print
data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare
sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull
sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate
sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having
utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue
dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab
'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo'
utl_http sp_makewebtask benchmark xp_regread xp_regwrite" \
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
SecAction
phase:2,pass,nolog,id:999501,skipAfter:959001
*
The following ModSecurity rule is
part of the default rule set and is used for blocking EMAIL injection attacks.
Briefly explain the rule
SecRule
REQUEST_FILENAME|ARGS|ARGS_NAMES "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
"phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Email
Injection Attack',id:'950019',logdata:'%{TX.0}',severity:'2'"
SecRule
REQUEST_HEADERS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
"phase:2,t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Email
Injection Attack',id:'959019',logdata:'%{TX.0}',severity:'2'"
_________________________________________________________________
Twice the fun—Share photos while you chat with Windows Live Messenger. Learn more.
http://www.microsoft.com/uk/windows/windowslive/products/messenger.aspx |
