mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2025-12-17 17:55:48 +00:00
30 lines
4.9 KiB
Plaintext
30 lines
4.9 KiB
Plaintext
|
# Apache ModSecurity rules for SQL
|
||
|
|
SecRuleEngine On
|
||
|
|
|
||
|
|
SecRule REQUEST_URI "@pm gzip compress deflate br zstd" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "!@pmFromFile sql-errors.data" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i)bORA-[0-9][0-9][0-9][0-9][0-9]:|java.sql.SQLException|Oracle(?: erro|[^()]{0,20}Drive)r|Warning.{1,10}o(?:ci_.{1,30}|ra_.{1,20})" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i:DB2 SQL error:|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|DB2 SQL error|db2_w+()" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i)Dynamic SQL Error" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i)Exception (?:condition )?d+. Transaction rollback." "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i)org.hsqldb.jdbc" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[()_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|(?:pg_(?:query|exec)() [|org.postgresql.util.PSQLException):|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||
|
|
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'sql attack detected'"
|