External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Tue Jan 7 18:00:52 UTC 2025]

Browse Source
This commit is contained in:
github-actions[bot]
2025-01-07 18:00:52 +00:00
parent 565b0c59a6
commit 4c0631f8ff
41 changed files with 3230 additions and 6327 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
waf_patterns/apache/sql.conf
View File

@@ -1,28 +1,16 @@
# Apache ModSecurity rules for SQL
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1224,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1225,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "!@pmFromFile sql-errors.data" "id:1226,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])" "id:1227,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" "id:1228,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:DB2 SQL error:|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|DB2 SQL error|db2_w+()" "id:1229,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)" "id:1230,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)Dynamic SQL Error" "id:1231,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)Exception (?:condition )?d+. Transaction rollback." "id:1232,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)org.hsqldb.jdbc" "id:1233,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)" "id:1234,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)" "id:1235,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" "id:1236,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" "id:1237,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)" "id:1238,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[(-)_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):" "id:1239,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)() [:|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" "id:1240,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)" "id:1241,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)" "id:1242,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1243,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1244,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1245,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1246,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1247,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1248,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:Sybase\ message:\|Warning\.\{2,20\}sybase\|Sybase\.\*Server\ message\.\*\)" "id:1288,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:\[DM_QUERY_E_SYNTAX\]\|has\ occurred\ in\ the\ vicinity\ of:\)" "id:1278,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)org\.hsqldb\.jdbc" "id:1281,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)Exception\ \(\?:condition\ \)\?d\+\.\ Transaction\ rollback\." "id:1280,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:<b>Warning</b>:\ ibase_\|Unexpected\ end\ of\ command\ in\ statement\)" "id:1284,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:Warning\.\*sqlite_\.\*\|Warning\.\*SQLite3::\|SQLite/JDBCDriver\|SQLite\.Exception\|System\.Data\.SQLite\.SQLiteException\)" "id:1287,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:System\.Data\.OleDb\.OleDbException\|\[Microsoft\]\[ODBC\ SQL\ Server\ Driver\]\|\[Macromedia\]\[SQLServer\ JDBC\ Driver\]\|\[SqlException\|System\.Data\.SqlClient\.SqlException\|Unclosed\ quotation\ mark\ after\ the\ character\ string\|'80040e14'\|mssql_query\(\)\|Microsoft\ OLE\ DB\ Provider\ for\ ODBC\ Drivers\|Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\|Incorrect\ syntax\ near\|Sintaxis\ incorrecta\ cerca\ de\|Syntax\ error\ in\ string\ in\ query\ expression\|Procedure\ or\ function\ \.\*\ expects\ parameter\|Unclosed\ quotation\ mark\ before\ the\ character\ string\|Syntax\ error\ \.\*\ in\ query\ expression\|Data\ type\ mismatch\ in\ criteria\ expression\.\|ADODB\.Field\ \(0x800A0BCD\)\|the\ used\ select\ statements\ have\ different\ number\ of\ columns\|OLE\ DB\.\*SQL\ Server\|Warning\.\*mssql_\.\*\|Driver\.\*SQL\[\ _\-\]\*Server\|SQL\ Server\.\*Driver\|SQL\ Server\.\*\[0\-9a\-fA\-F\]\{8\}\|Exception\.\*WSystem\.Data\.SqlClient\.\|Conversion\ failed\ when\ converting\ the\ varchar\ value\ \.\*\?\ to\ data\ type\ int\.\)" "id:1286,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:An\ illegal\ character\ has\ been\ found\ in\ the\ statement\|com\.informix\.jdbc\|Exception\.\*Informix\)" "id:1282,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:SQL\ error\.\*POS\[0\-9\]\+\.\*\|Warning\.\*maxdb\.\*\)" "id:1285,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:Warning\.\*ingres_\|Ingres\ SQLSTATE\|IngresW\.\*Driver\)" "id:1283,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:ORA\-\[0\-9\]\[0\-9\]\[0\-9\]\[0\-9\]\|java\.sql\.SQLException\|Oracle\ error\|Oracle\.\*Driver\|Warning\.\*oci_\.\*\|Warning\.\*ora_\.\*\)" "id:1277,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:JET\ Database\ Engine\|Access\ Database\ Engine\|\[Microsoft\]\[ODBC\ Microsoft\ Access\ Driver\]\)" "id:1276,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)Dynamic\ SQL\ Error" "id:1279,phase:1,deny,status:403,log,msg:'sql attack detected'"