Hi Nick,
I am very new to writing custom rules.
I would like to create a simple rule to block querystring like " 176%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL#.... "
or
"AND 5474=CAST((CHR(113)||CHR(98)||CHR(120)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (5474=5474) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(120)||CHR(120)||CHR(120)||CHR(113)) AS NUMERIC) ..."
Can you show me some example of such rules?
many thanks
Giampiero
vector colls
Certainly! Here are a couple of examples of custom rules that can help you block the query strings you mentioned:
Rule 1: Block query strings containing "UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL#"
SecRule ARGS:qs "@contains %{TX.0}" \
"id:123456,\
phase:2,\
block,\
log,\
msg:'Block query string with UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL#',\
severity:CRITICAL"
SecRule REQUEST_URI \
"@rx ^/your-protected-resource-uri$" \
"chain"
SecRule ARGS:qs "@contains %{TX.0}"
Replace /your-protected-resource-uri with the actual URI of the resource you want to protect.
Rule 2: Block query strings containing the specific SQL injection pattern
SecRule ARGS:qs "@rx \b(CAST|CHR|SELECT|FROM|WHERE)\b" \
"id:123457,\
phase:2,\
block,\
log,\
msg:'Block query string with SQL injection pattern',\
severity:CRITICAL"
SecRule REQUEST_URI \
"@rx ^/your-protected-resource-uri$" \
"chain"
SecRule ARGS:qs "@rx \b(CAST|CHR|SELECT|FROM|WHERE)\b"
Replace /your-protected-resource-uri with the actual URI of the resource you want to protect.
These rules use ModSecurity syntax to match and block specific query strings. Make sure you have ModSecurity properly installed and configured on your server to utilize these rules.
Please note that these are basic examples and might need further customization based on your specific requirements and environment. It's always recommended to thoroughly test and validate the rules before deploying them in a production environment. mymilestonecard