Re: [mod-security-users] (no subject)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] (no subject)
|
From: Ofer S. <of...@sh...> - 2009-02-09 05:27:17
|
The SQL injection rule is a performance enhancement rule and not attack detection rule. It checks using a fast algorithm (that is faster than regexp) that the different SQL injection keywords do not appear in the request. If they do not appear in the request the actual SQL injection detection rule is skipped. The e-mail injection rule checks for an attack called e-mail injection. In a nutshell, if an application uses an input field in an e-mail message it sends and does not validate the input correctly, the input can modify not just the intended part, usually subject or body but also other fields such as the destination address. This way the application mail function can be used to send arbitrary mail, usually spam. Google for "email injection" for some articles about this attack, for example http://www.damonkohler.com/2008/12/email-injection.html. ~ Ofer Ofer Shezaf [sh...@xi..., +972-54-4431119, www.xiom.com] From: jacky myres [mailto:jac...@li...] Sent: Sunday, February 08, 2009 7:56 PM To: mod...@li... Subject: [mod-security-users] (no subject) woundering if you could provide some help or guidence my two questions are: The following ModSecurity rule is part of the default rule set and is used for blocking SQL injection attacks. Briefly explain the rule SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Ref erer "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compre ssWhiteSpace,t:lowercase,pass,nolog,skip:1" SecAction phase:2,pass,nolog,id:999501,skipAfter:959001 * The following ModSecurity rule is part of the default rule set and is used for blocking EMAIL injection attacks. Briefly explain the rule SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \ "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E, log,auditlog,msg:'Email Injection Attack',id:'950019',logdata:'%{TX.0}',severity:'2'" SecRule REQUEST_HEADERS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \ "phase:2,t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase,capture,ctl:audit LogParts=+E,log,auditlog,msg:'Email Injection Attack',id:'959019',logdata:'%{TX.0}',severity:'2'" _____ Share your photos with Windows Live Photos - Free Find out <http://clk.atdmt.com/UKM/go/132630768/direct/01/> more! |
