can't figure out request filter

Discussion in 'Install/Configuration' started by aww, Aug 28, 2008.

  1. aww

    aww Well-Known Member

    I've been trying to create a server-wide rule to filter out that stupid sql attack that's been going around and clogging up all the logs. The few built in rules are not blocking it.

    The attack is something like this:
    So I have this as the action:
    log,deny,status:403,msg:'DECLARE attack'

    and I tried all these as the rule, none work:

    SecFilterSelective QUERY_STRING "^.*DECLARE.+CHAR.+SET.+CAST.+$"

    SecFilterSelective ARGS "^.*DECLARE.+CHAR.+SET.+CAST.+$"

    SecFilterSelective ARGS_VALUES "^.*DECLARE.+CHAR.+SET.+CAST.+$"

    SecFilterSelective THE_REQUEST "^.*DECLARE.+CHAR.+SET.+CAST.+$"

    I also tried it without the ^.* and .+$ anchors.

    Thanks for any ideas.
  2. mistwang

    mistwang LiteSpeed Staff

    you can turn on request filter log to debug those rules.

Share This Page