10 May 2012 18:40
SecRule 981317
Canell, Stephen E (2240 <stephen.e.canell <at> jpl.nasa.gov>
2012-05-10 16:40:21 GMT
2012-05-10 16:40:21 GMT
In modsecurity_crs_41_sql_injection_attacks.conf, rule ID 981317 looks for the following: SecRule TX:SQLI_SELECT_STATEMENT_COUNT " <at> ge 3" "phase:2,t:none,block,id:'981317'ŠŠŠ. Which if the *_COUNT is equal to or greater the 3 of the list of SQL key words, issue a 403 error. I have two variable fields that consist of pure text fields where the SQL key words will most likely be hit, i.e.: the count will equal 3 or greater very easily. These fields are not SQL in nature. How can I perform the equivalent of an if-else-then where if variables coverLetterTxt or resumeTXT is scanned, to not perform the 981317 processŠ I do not care if the word count reaches 20000 for these two variables where SQL injection is concerned, but for the many other fields, I do want these tests to be performed and permission denied in the event of an SQL attack. For these two fields, I do have a while list on the ASCII characters from X01-X7F, allow. Do I need another allow statement with the inclusion of the SQL key words such as select|Š.. Thank you -Steve -- Stephen Canell IT Security Engineer 4, EBIS Security Enterprise Business Information Services (formerly IBS) EBIS Security - 2240 Jet Propulsion Laboratory 4800 Oak Grove Drive Pasadena, California 91109 Phone: 818-354-1731 Procrastination is the thief of time! -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 8.0.3 mQGiBEKTRBkRBAD2QUiPAuj1uMh0NdynTY8uV1vyDd89/1+Zcs1SX+CZiaFAJ6y0 ELBBoXQJ/CM9SYrouGC81NyB2A/w+ttB+uUj/penJQ0nvXtYK7GmEVJgFFSUEryS FOoPNo+ZGY4JrQe8HpptoovwEwxTT5cjWy6FUpmgSPxllR+DiyZBWbSugwCg/xXe qylX5HpJFg8gVOzCZsPNhOED/2csfvCfFnu9LQm9GMIS72TtGc4qldjJCBmYqW/c zq/h8Paj0jRfz1g+Eo/LrV4ViIukc6OTLL4CYT8hQu88YzyPHPxRmagIJKTbYjwZ MOgud9Kj61BbRB2eyl2wC114M8/B6byKHqf85SrstOQCX+4BfAOLR4dywiM5TTpz Mih5A/9eOHoFJ+FLmwio4rVq22dE7R3TtsY0FB2234uIdgsj+hdmZLpDJfJheKvx vBdWK3oAqZaborjid+PzxlBxSThUOhZe/UjQbauSXzLhoNkqEEZY8eeulszyT6NW zVHOHZU0kiyvwQIVBp1v1BshMImjRwXavCuHUAeOiOH2LmZV4rQnU3RlcGhlbiBF IENhbmVsbCA8c2NhbmVsbEBqcGwubmFzYS5nb3Y+iQBXBBARAgAXBQJCk0QZBwsJ CAcDAgoCGQEFGwMAAAAACgkQaUvAMvtD8t0ioACfSPsU3wo+vqxTCkxOreCYNFF3 oB8An3dEmj8lt1wYe2tKJl0qEePhRr0LuQINBEKTRBkQCAD2Qle3CH8IF3Kiutap QvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfU odNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7H AarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxb LY7288kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyE pwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1Xp Mgs7AAICCACaG3547RkJTEAcx+6YjaviN3erEh/EYYpxcinWulkU5i928RgxWVAt P/7XiEJtq2TiovOFvpvyX2V1CycTCACzqftG5Q2KSzVdEOiixm98/k44vm6JHL2K 4JuclI7KFt7pCzPJGsySDn2i7t3PQXDa7K8jBAE2S4LB7ZTVzetzoCDKQMi4Xei3 bz7zovMrF8qGzkkSWKM9eZYMfDBZm++SUbTpq1IhIufcbTUMdSZC85/BU1LtZz22 mfA2nViQyLQjEa3R8Y1HdLaaU7GxafZDPCpJjoaIXwhyplbHeM3DfHTgud7ZcB83 CrlYRIkN5rE9JCpuXNY7LGzwBh9+xJJviQBMBBgRAgAMBQJCk0QZBRsMAAAAAAoJ EGlLwDL7Q/LdLM0An0uyV06R65S+tFq7UijE0tz49VZiAJ9dIRu54sVtNS8hWTTH ZXVJw6u9yA== =Z1Fa -----END PGP PUBLIC KEY BLOCK----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/
RSS Feed