|
From: Ivan R. <iv...@we...> - 2006-02-08 18:32:29
|
CASTELLE Thomas wrote: > Hello, > > Another small question about modsecurity rules : > > Is it possible to improve these rules : > > SecFilterSelective ARGS "select.+from" > SecFilterSelective ARGS "union.+select" > SecFilterSelective ARGS "update.+set.+=" > > Because we have quite a few false positives on our websites. That's a difficult one, because SQL is essentially English. It may be possible to reduce the number of false positives (but not avoid them altogether) with something like: SecFilterSelective ARGS_VALUES "select[[:space:]].+[[:space:]]from" Looking at parameters individually is likely to reduce the number although it allows for one part of the injection string to go into one parameter and the other into some other parameter. Also, even the original signature does not address this type of attack completely. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
