Several ModSecurity rules, what do You think about these?
Hello,
please what do You say about following Mod Security rules application on public shared hosting server, do you find any of them beneficial? Thank You
SQL Injection
SecRule ARGS "unions+select" \
"t:lowercase,deny,msg:'SQL Injection'"
SecRule ARGS "unions+alls+select" \
"t:lowercase,deny,msg:'SQL Injection'"
SecRule ARGS "intos+outfile" \
"t:lowercase,deny,msg:'SQL Injection'"
SecRule ARGS "drops+table" \
"t:lowercase,deny,msg:'SQL Injection'"
SecRule ARGS "alters+table" \
"t:lowercase,deny,msg:'SQL Injection'"
SecRule ARGS "load_file" \
"t:lowercase,deny,msg:'SQL Injection'"
SecRule ARGS "selects+" \
"t:lowercase,deny,msg:'SQL Injection'"
Command Execution
This rule matches too often
SecRule ARGS "^(rm|ls|kill|(send)?mail|cat|echo|/bin/|/etc/|/tmp/)[[:space:]]" \
"deny"
Directory traversal (do NOT worked for me, almost any URL request got banned)
SecRule REQUEST_URI "@streq ../" \
"t:urlDecode,deny"
Some of the rules from: blog.art-of-coding.eu/implementing-a-web-application-firewall/
-
Hello :) You may also want to seek user-feedback from the Mod_Security users mailing list on these custom rules: mod-security-users Info Page Thank you. 0 -
Directory traversal (do NOT worked for me, almost any URL request got banned) SecRule REQUEST_URI "@streq ../" \ "t:urlDecode,deny"
I will look at others later if I have time but this one is broken because a single dot serves as a wildcard for any single character unless escaped by a backslash. You want this:SecRule REQUEST_URI "@streq \.\./" \ "t:urlDecode,deny"0 -
Rules that use ../../ can be very easily evaded by padding in extra slashes. you should use /../ so that things like ..//..// will also match. For example: SecRule QUERY_STRING "/\.\./" "t:urlDecode,deny" You can also use a transformation like "normalisePath" to strip extra slashes from requests before processing. 0
Please sign in to leave a comment.
Comments
3 comments