Closed
Description
Hi ~
I have compiled libmodsecurity v3, when requests were blocked with SecRuleEngine On.
---w26BhY4m---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/data/webserver/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "17"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: host found within ARGS:sdfsdf: 1' or '1"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [ref "v711,8t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:removeComments"]
The rule action is "Warning". but I guess it should be "Access denied with code"?
Reference resources in waf-fle:
$ActionStatus[0] = "Access denied with connection close"; // action: Drop
$ActionStatus[1] = "Access denied with code"; // action: Deny
$ActionStatus[2] = "Access denied with redirection"; // action: Redirect
$ActionStatus[3] = "Access denied using proxy to"; // action: Proxy
$ActionStatus[10] = "Access allowed"; // action: Allow
$ActionStatus[11] = "Access to phase allowed";
$ActionStatus[12] = "Access to request allowed";
$ActionStatus[13] = "Paused Access"; // action: Pause
$ActionStatus[14] = "Pausing transaction for"; // action: Pause
$ActionStatus[20] = "Warning"; // action: Pass or Detection Only
Metadata
Metadata
Assignees
Labels
No labels