troglogeek / fail2ban-apache-sqlinject Goto Github PK

This regex can catch legit lines. Here is an example:

XX.XX.XX.XX - - [date] "GET /wp-admin/options-general.php?page=wp-updates-notifier&settings-updated=true HTTP/1.1" 200 24177 "http://domain.tld/wp-admin/options-general.php?page=wp-updates-notifier" "User-Agent"

The sqlfragments_generic will match on update.*set.

If a find a solution I will keep you posted.

Thanks for posting this filter; it has been useful.

I had several Wordpress users blocked due to false positives, which I traced to the following line. To resolve the problem I changed the following line to add spaces around the keywords; real sql attempts must have spaces around words such as 'update' and 'set'. The following is one long line.

sqlfragments_generic = select(+|%%20).(+|%%20)from|delete(+|%%20).(+|%%20)from|update(+|%%20).(+|%%20)set|insert(+|%%20).(+|%%20)into|replace(+|%%20).*(+|%%20)(value|set)

Hi, your log filter is exactly what I was looking for but I can't get it to catch the following log entry. Should it or do I need to modify it somehow?

172.56.17.13 - - [25/Sep/2014:13:19:41 -0700] "mysitesdomain.com/go.php?siteid=936141763%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20" 404 115 "-" "Mozilla/5.0 (Linux; Android 4.4.4; Nexus 5 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.117 Mobile Safari/537.36"

My website recently got hit with a bunch of SQL Injection attempts, none of which appear to have been successful, but these miscreants need to be dealt with. I run fail2ban and found your filter high in the Google Search. When I tested your filter against my logs, it flagged some lines but missed a lot that looked decidedly suspicions. Some were due to uppercase SELECT or UNION. Others I suspect are the way the hackers are creating the SELECT/UNION commands on the fly.

Have you considered re-activating this project? I am a newbie at regex, but am willing to help.

Thanks, Norbert