Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
Hi guys,
can someone tell met if this means that utm has done his job and stop de SQL injection?
2023:02:22-11:37:33 securitysrv1-2 httpd[3325]: [security2:error] [pid 3325:tid 3932240752] [client 185.191.171.17:22598] [client 185.191.171.17] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:so. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:so: r6AU1uTuw2IhNwyiLZTyvrxUCRJx942Mn62k6y4BUMBtviTorZekBoewAuQvlSfaUgh2-U_ZuBMeyTykM3c8bhPNGQhY4C4mM__TRHfUv3Qf6xoTDtBJZbr7ni9ZgKbyY8BYo0v1Sxbeuul8ukHqHX7XX40DkKJxjIRkm7ChMcYVmKTY9vnqY3oEVIowkpdv0lthuiUBR6NlyAPgkIoXz8PQU2CDBfIAwq5xvZUwnvHC-oUV4LFtN9t9z07kMd0EKeu3OlsksuggJ2yJh3VsXkO35CKmRRSJ0aJS6khZgOMp7YnO_muuUpkDTrCXdOVcRzm772IHcctDDCyuk0ZySAPXdTUeh6FLdzoGD86MWmeZCUITyrzcQcLCxeXpyNAFpo0ZsJuSJXogo-HnbTyc-w2"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag] [hostname "XXi-nu.nl"] [uri "/XXe.aspx"] [unique_id "Y_XwbTjqKQXGMixwt5o_UwAAARE"]
2023:02:22-11:37:34 securitysrv1-2 httpd[3325]: [security2:error] [pid 3325:tid 3932240752] [client 185.191.171.17:22598] [client 185.191.171.17] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=1, XSS=): Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [hostname "XX-nu.nl"] [uri "/XXcollectie.aspx"] [unique_id "Y_XwbTjqKQXGMixwt5o_UwAAARE"]
2023:02:22-11:37:34 securitysrv1-2 httpd: id="0299" srcip="185.191.171.17" localip="62.221.XX.184" size="12009" user="-" host="185.191.171.17" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="213677" url="/XXcollectie.aspx" server="XX-nu.nl" port="80" query="?so=r6AU1uTuw2IhNwyiLZTyvrxUCRJx942Mn62k6y4BUMBtviTorZekBoewAuQvlSfaUgh2-U_ZuBMeyTykM3c8bhPNGQhY4C4mM__TRHfUv3Qf6xoTDtBJZbr7ni9ZgKbyY8BYo0v1Sxbeuul8ukHqHX7XX40DkKJxjIRkm7ChMcYVmKTY9vnqY3oEVIowkpdv0lthuiUBR6NlyAPgkIoXz8PQU2CDBfIAwq5xvZUwnvHC-oUV4LFtN9t9z07kMd0EKeu3OlsksuggJ2yJh3VsXkO35CKmRRSJ0aJS6khZgOMp7YnO_muuUpkDTrCXdOVcRzm772IHcctDDCyuk0ZySAPXdTUeh6FLdzoGD86MWmeZCUITyrzcQcLCxeXpyNAFpo0ZsJuSJXogo-HnbTyc-w2" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Y_XwbTjqKQXGMixwt5o_UwAAARE"
Hi Aresh,
I'll be moving this post to Sophos UTM Forum
Erick JanCommunity Support Engineer | Sophos Technical SupportSophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
Thanks
Is your question about access via Webserver Protection or to WebAdmn?
Cheers - Bob