SQL Keyword Anomaly Scoring
GoogleCodeExporter opened this issue · 1 comments
GoogleCodeExporter commented
#
# SQL Keyword Anomaly Scoring:
I am having issues fine tuning all SQL rules for a COTS product. This relates
to the ID 981301 - 981316 with 981317.
I get a 403 from 918317 related to the previous SecRules because of the keyword
count trigger.
Would the keyword in 301-316 be triggered by variables names having SQL
keywords in the var name, such as:
"search.selectedJobFamily.value" (981301 - select)...
I have two variables with the word select and one with the keyword from. The
audit log shows 301 and 305 as the hits and the kewords are found in the var
names.
Also,
I have two variables where users can enter an entire resume, so most, if not all of the SQL keywords in the SQL rules 301-316 will get hit!
I have seen the use SecRuleUpdateById in conjunction of !ARGS:<var> used, but
301-316 uses TX:SQLI….. How do I use the SecRuleUpdateById with TX vs ARGS,
and or
what is the best way to allow all words for these two variables and not set off
the SQL triggers.
Thank you
Steve
Original issue reported on code.google.com by scan...@jpl.nasa.gov on 20 Jul 2012 at 4:43
GoogleCodeExporter commented
I believe that you are in the wrong place. This issue tracker is for the OWASP
Broken Web Applications project. It sounds like your question is about
ModSecurity (or perhaps a specific rule set). If so, please visit
http://www.modsecurity.org/ to find resources.
Original comment by chuck.f....@gmail.com on 24 Jul 2012 at 4:40
- Changed state: Invalid