|
From: Deanna S. <dst...@gm...> - 2018-03-02 00:17:59
|
Hello All, I have a problem where SQL injection rules like "Detects concatenated basic SQL injection and SQLLFI" attempts are firing, when the strings in the input fields are similar to SQL commands. Here is an example. 8d85025e-H-- Message: Warning. Pattern match "(?i:(?:[\\d\\W]\\s+as\\s*?[\"'`\\w]+\\s*?from)|(?:^[\\W\\d]+\\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc)\\b)|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:(?:group_)concat|char|load ..." at ARGS:address1. [file "/etc/modsec/sitebuyprod/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "451"] [id "942360"] [rev "2"] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] *[data "Matched Data: 1922 ALTER found within ARGS:address1: 1922 ALTER St PHILADELPHIA, PA 19146"*] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] How do I whitelist this behavior in a way, where 1. I am not whitelisting actual SQL injection commands. Like in above case, I can whitelist not to fire on string "alter" for args adress1, but doesn't that eliminate detection/blocking of any alter based SQL injection? 2. Is there a way to whitelist such false positives globally for all fields. The string could be present in address 2 next time or comments etc., and there are multiple sites. Do I have to collect all possible fields for all sites, or can I whitelist this false positive globally in some way? Appreciate your help! Sincerely, Deanna |
