Re: [Mod-security-developers] Question about some rules

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 3/7/12 9:33 AM, "Pavel Mateja" <pa...@ne...> wrote:

>> On Wed, Mar 7, 2012 at 3:23 PM, Pavel Mateja <pa...@ne...> wrote:
>> > I had to modify them slightly:
>> >
>> > rule 981243:
>> > -..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d)..
>> > -..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d)..
>> >
>> > rule 981244:
>> > -..\s*x?or|div|like|between|and[\w\s-]+..
>> > +..\s*x?(or|div|like|between|and)[\w\s-]+..
>> >
>> > rule 981248:
>> > -..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])..
>> > +..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+])..
>> >
>> > Or am I missing something?
>>
>> Hi Pavel,
>>
>> The string 'like' is included to help protect against SQLi attacks. In
>>your
>> case its obviously a false positive. Having said that, customizing the
>>CRS
>> itself will make upgrading the ruleset more difficult. It's probably a
>> better idea to maintain a list of exceptions instead. Take a look at:
>>
>>http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week
>>-e
>> xception-handling.html
>
>OK,
>let's talk about part of the rule 981248:
>(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])
>I think this one is for catching strings similar to:
>"5 like 8+"
>but the rule is positive on any words containing "like" because "|" has
>not as
>high priority as author thought it has.
>The "\s*\d+\s*[\-+]" part is tied to "(x)or" only and "\s*\d+\s*[\-+]"
>part is
>tied to "and" only.
>It's not customizing, it's fixing broken rules from my point of view.
>--
>Pavel Mateja

You are correct, the issue was with the regex.  We will be fixing it.

-Ryan

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.