Re: [mod-security-users] Can mod-security help with this?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

This didn't work for me.  Here is more log info:

216.67.229.212 - - [24/Jan/2005:13:53:43 -0500] "GET
/board/viewtopic.php?p=5290&highlight=%2527%252Esystem(chr(112)%252Echr(101)
%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%
252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)
%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%2
52Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%2
52Echr(34))%252E%2527 HTTP/1.0" 200 98 "-" "Mozilla/4.0"
24.57.53.2 - - [24/Jan/2005:13:53:43 -0500] "GET
/board/viewtopic.php?p=3201&highlight=%2527%252Esystem(chr(112)%252Echr(101)
%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%
252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)
%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%2
52Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%2
52Echr(34))%252E%2527 HTTP/1.0" 200 98 "-" "Mozilla/4.0"
64.186.228.51 - - [24/Jan/2005:13:53:43 -0500] "GET
/board/viewtopic.php?p=4132&highlight=%2527%252Esystem(chr(112)%252Echr(101)
%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%
252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)
%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%2
52Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%2
52Echr(34))%252E%2527 HTTP/1.0" 200 98 "-" "Mozilla/4.0"
64.132.74.96 - - [24/Jan/2005:13:53:43 -0500] "GET
/board/viewtopic.php?p=4171&highlight=%2527%252Esystem(chr(112)%252Echr(101)
%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%
252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)
%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%2
52Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%2
52Echr(34))%252E%2527 HTTP/1.0" 200 98 "-" "Mozilla/4.0"

On 1/24/05 12:49 PM, "Gerwin Krist" <ge...@di...> wrote:

> Sure you can use:
> SecFilterSelective ARG_highlight %27
> 
> Our company also filters for the following:
>     SecFilterSelective ARGS "fwrite"
>     SecFilterSelective ARGS "fopen"
>     SecFilterSelective ARGS "chr\("
>     SecFilterSelective ARGS "echr\("
>     SecFilterSelective ARGS "system\("
> 
> To be really secure :) I hope it will help you
> 
> Danny Shurett wrote:
> 
>> I am seeing a dos attack with a random string, but it includes this:
>> 
>> highlight=%2527%252Esystem(chr(112)%252Echr(101)
>> 
>> Can someone let me know if mod-security can help with this and how I could
>> use it to stop it?
>> 
>> 
>> 
>> 
>> -------------------------------------------------------
>> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
>> Tool for open source databases. Create drag-&-drop reports. Save time
>> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
>> Download a FREE copy at http://www.intelliview.com/go/osdn_nl
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> 
>> 
>>  
>> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 
> 