ColdFusion Muse

ISAPIRewrite or Mod_Rewrite Rules

For those of you interested in stopping the SQLi attack before it even hits your ColdFusion server, you might try these rewrite rules are from the CF-Linux email list (run by House of Fusion). They were provided by list member Mike Chytracek and forwarded to me by Linux CFG Ryan Stille. These rules are for for use with Helicon's ISAPI Rewrite filter, but with very little tweaking these rules aught to work for Apache Mod_rewrite as well.

# Helicon ISAPI_Rewrite configuration file

# Version 3.1.0.54


RewriteEngine On

RewriteCompatibility2 On

RepeatLimit 20

RewriteBase 

# unsupported directive: [ISAPI_Rewrite]


# CacheClockRate 300


RewriteRule ^.*DECLARE%20.*$ http://www.cybercrime.gov/ [NC]

RewriteRule ^.*NVARCHAR.*$ http://www.cybercrime.gov/ [NC]

RewriteRule ^.*sp_password.*$ http://www.cybercrime.gov/ 
[NC]
RewriteRule ^.*%20xp_.*$ http://www.cybercrime.gov/ [NC]

RewriteRule ^.*EXEC\(@.*$ http://www.cybercrime.gov/ [NC]

RewriteRule ^.*%20@.*$ http://www.cybercrime.gov/ [NC]


RewriteRule ^METHOD$ OPTIONS

Please note that these rules will actually redirect the request to the governments cybercrime website. That's going to freak a few folks out if you end up with any fals positives :)

11 Comments

Add Comment Subscribe to Comments

Leave this field empty

Write a comment

Remember My Information:

Subscribe:

If you subscribe, any new posts to this thread will be sent to your email address.

Subscribe to Comments

Remember My Information:

• 

  Posted By

  Matt | 8/8/08 2:58 PM

  How about on IIS?
• 

  Posted By

  Matt | 8/8/08 3:08 PM

  I really should have read it first before I posted. I just saw Linux and ignored the rest. My bad.
• 

  Posted By

  Brett S. | 8/8/08 3:34 PM

  We redirect them back to REMOTE_ADDR ;)
• 

  Posted By

  mark kruger | 8/8/08 3:55 PM

  @Brett,
  
  Ooh! I like it! That's tasteful without being gaudy.
  
  -mark
• 

  Posted By

  Brett S | 8/8/08 3:55 PM

  Also, I believe you would want to use [I,R] instead of [NC] to redirect them to the CyberCrime site.
• 

  Posted By

  Brett S | 8/8/08 4:00 PM

  Actually now that I look closer, I'm not sure of [NC] vs [I,R]. I the rule set is for Helicon's Filter (per the comments).
  
  We use Ionic ISAPI rewrite http://www.codeplex.com/IIRF and it is definitely [I,R]
  
  Sorry for any confusion, and thanks for the post, I added a couple of the rules to our server that we were not using.
• 

  Posted By

  simon | 8/8/08 11:22 PM

  Can anyone explain how exactly to do this in apache 2+?
• 

  Posted By

  Brad Wood | 8/9/08 3:36 AM

  LOL, you're going to start getting calls from the CIA wanting to know why half of their traffic is all redirects from your site...
  
  As much as I don't like filtering due to false positives and an over-grown sense of security, I do think the web server is the place to do it. Why even waste the CF thread, if Apache or IIS can handle the problem? I'm likley to mess around with a few rules, but I don't want to leave them in place permanently assuming these specific attacks will eventually go away. The next big attack may use an entirely different method which will require a brand new rewrite rule...
• 

  Posted By

  sb | 8/11/08 2:51 PM

  How do I tweak this to get it to work with mod rewrite?
• 

  Posted By

  Matt Smith | 8/23/08 10:46 AM

  The suggested ISAPIRewrite rules are helpful in detecting the current attack, but when tested against the HP Scrawlr (SQL injector and crawler testing tool), the rules, as currently written, fail the test. I haven't yet identified what needs to be added or changed. Anyone have any suggestions how to make the rules more robust?
• 

  Posted By

  jon | 8/28/08 1:07 PM

  any word on how to go about this type of thing with IIS?