aww
08-28-2008, 09:34 AM
I've been trying to create a server-wide rule to filter out that stupid sql attack that's been going around and clogging up all the logs. The few built in rules are not blocking it.
The attack is something like this:
?;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(blah blah blah
So I have this as the action:
log,deny,status:403,msg:'DECLARE attack'
and I tried all these as the rule, none work:
SecFilterSelective QUERY_STRING "^.*DECLARE.+CHAR.+SET.+CAST.+$"
SecFilterSelective ARGS "^.*DECLARE.+CHAR.+SET.+CAST.+$"
SecFilterSelective ARGS_VALUES "^.*DECLARE.+CHAR.+SET.+CAST.+$"
SecFilterSelective THE_REQUEST "^.*DECLARE.+CHAR.+SET.+CAST.+$"
I also tried it without the ^.* and .+$ anchors.
Thanks for any ideas.
The attack is something like this:
?;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(blah blah blah
So I have this as the action:
log,deny,status:403,msg:'DECLARE attack'
and I tried all these as the rule, none work:
SecFilterSelective QUERY_STRING "^.*DECLARE.+CHAR.+SET.+CAST.+$"
SecFilterSelective ARGS "^.*DECLARE.+CHAR.+SET.+CAST.+$"
SecFilterSelective ARGS_VALUES "^.*DECLARE.+CHAR.+SET.+CAST.+$"
SecFilterSelective THE_REQUEST "^.*DECLARE.+CHAR.+SET.+CAST.+$"
I also tried it without the ^.* and .+$ anchors.
Thanks for any ideas.