ISAPIRewrite or Mod_Rewrite Rules
For those of you interested in stopping the SQLi attack before it even hits your ColdFusion server, you might try these rewrite rules are from the CF-Linux email list (run by House of Fusion). They were provided by list member Mike Chytracek and forwarded to me by Linux CFG Ryan Stille. These rules are for for use with Helicon's ISAPI Rewrite filter, but with very little tweaking these rules aught to work for Apache Mod_rewrite as well.
# Helicon ISAPI_Rewrite configuration file
# Version 3.1.0.54
RewriteEngine On
RewriteCompatibility2 On
RepeatLimit 20
RewriteBase
# unsupported directive: [ISAPI_Rewrite]
# CacheClockRate 300
RewriteRule ^.*DECLARE%20.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^.*NVARCHAR.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^.*sp_password.*$ http://www.cybercrime.gov/
[NC] RewriteRule ^.*%20xp_.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^.*EXEC\(@.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^.*%20@.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^METHOD$ OPTIONS
Please note that these rules will actually redirect the request to the governments cybercrime website. That's going to freak a few folks out if you end up with any fals positives :)
11 Comments
-
I really should have read it first before I posted. I just saw Linux and ignored the rest. My bad. -
@Brett,
Ooh! I like it! That's tasteful without being gaudy.
-mark -
Also, I believe you would want to use [I,R] instead of [NC] to redirect them to the CyberCrime site. -
Actually now that I look closer, I'm not sure of [NC] vs [I,R]. I the rule set is for Helicon's Filter (per the comments).
We use Ionic ISAPI rewrite http://www.codeplex.com/IIRF and it is definitely [I,R]
Sorry for any confusion, and thanks for the post, I added a couple of the rules to our server that we were not using. -
LOL, you're going to start getting calls from the CIA wanting to know why half of their traffic is all redirects from your site...
As much as I don't like filtering due to false positives and an over-grown sense of security, I do think the web server is the place to do it. Why even waste the CF thread, if Apache or IIS can handle the problem? I'm likley to mess around with a few rules, but I don't want to leave them in place permanently assuming these specific attacks will eventually go away. The next big attack may use an entirely different method which will require a brand new rewrite rule... -
The suggested ISAPIRewrite rules are helpful in detecting the current attack, but when tested against the HP Scrawlr (SQL injector and crawler testing tool), the rules, as currently written, fail the test. I haven't yet identified what needs to be added or changed. Anyone have any suggestions how to make the rules more robust?
Sites to Watch
Aggregators
RSS
Related Blog Entries