2024-12-21 00:35:03 +00:00
|
|
|
# Apache ModSecurity rules for SQL
|
|
|
|
|
SecRuleEngine On
|
|
|
|
|
|
2025-01-09 00:26:35 +00:00
|
|
|
SecRule REQUEST_URI "\(\?i:ORA\-\[0\-9\]\[0\-9\]\[0\-9\]\[0\-9\]\|java\.sql\.SQLException\|Oracle\ error\|Oracle\.\*Driver\|Warning\.\*oci_\.\*\|Warning\.\*ora_\.\*\)" "id:1237,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "\(\?i:\[DM_QUERY_E_SYNTAX\]\|has\ occurred\ in\ the\ vicinity\ of:\)" "id:1238,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "\(\?i:Warning\.\*ingres_\|Ingres\ SQLSTATE\|IngresW\.\*Driver\)" "id:1243,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "\(\?i\)\(\?:Warning\.\*sqlite_\.\*\|Warning\.\*SQLite3::\|SQLite/JDBCDriver\|SQLite\.Exception\|System\.Data\.SQLite\.SQLiteException\)" "id:1247,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "\(\?i\)\(\?:System\.Data\.OleDb\.OleDbException\|\[Microsoft\]\[ODBC\ SQL\ Server\ Driver\]\|\[Macromedia\]\[SQLServer\ JDBC\ Driver\]\|\[SqlException\|System\.Data\.SqlClient\.SqlException\|Unclosed\ quotation\ mark\ after\ the\ character\ string\|'80040e14'\|mssql_query\(\)\|Microsoft\ OLE\ DB\ Provider\ for\ ODBC\ Drivers\|Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\|Incorrect\ syntax\ near\|Sintaxis\ incorrecta\ cerca\ de\|Syntax\ error\ in\ string\ in\ query\ expression\|Procedure\ or\ function\ \.\*\ expects\ parameter\|Unclosed\ quotation\ mark\ before\ the\ character\ string\|Syntax\ error\ \.\*\ in\ query\ expression\|Data\ type\ mismatch\ in\ criteria\ expression\.\|ADODB\.Field\ \(0x800A0BCD\)\|the\ used\ select\ statements\ have\ different\ number\ of\ columns\|OLE\ DB\.\*SQL\ Server\|Warning\.\*mssql_\.\*\|Driver\.\*SQL\[\ _\-\]\*Server\|SQL\ Server\.\*Driver\|SQL\ Server\.\*\[0\-9a\-fA\-F\]\{8\}\|Exception\.\*WSystem\.Data\.SqlClient\.\|Conversion\ failed\ when\ converting\ the\ varchar\ value\ \.\*\?\ to\ data\ type\ int\.\)" "id:1246,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "\(\?i:JET\ Database\ Engine\|Access\ Database\ Engine\|\[Microsoft\]\[ODBC\ Microsoft\ Access\ Driver\]\)" "id:1236,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "\(\?i:<b>Warning</b>:\ ibase_\|Unexpected\ end\ of\ command\ in\ statement\)" "id:1244,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "\(\?i\)Exception\ \(\?:condition\ \)\?d\+\.\ Transaction\ rollback\." "id:1240,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "\(\?i:An\ illegal\ character\ has\ been\ found\ in\ the\ statement\|com\.informix\.jdbc\|Exception\.\*Informix\)" "id:1242,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "\(\?i\)Dynamic\ SQL\ Error" "id:1239,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "\(\?i:SQL\ error\.\*POS\[0\-9\]\+\.\*\|Warning\.\*maxdb\.\*\)" "id:1245,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "\(\?i\)\(\?:Sybase\ message:\|Warning\.\{2,20\}sybase\|Sybase\.\*Server\ message\.\*\)" "id:1248,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "\(\?i\)org\.hsqldb\.jdbc" "id:1241,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
