Re: [mod-security-users] Ask a question about regex in CRS

[Ryan B. <rya...@br...>]

On Tuesday 22 June 2010 00:05:18 Neo Liu wrote:
> Hi, everyone
>     The following rule comes from
> rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf , but I
> don't understand what does the regular expression "(?:[\\\(\)\%#]|--)"
> mean. 

The rules contained in this section of the sqli file are considered WEAK signatures meaning 
that they have a high false positive rate if used on their own.  This is why they were 
disabled by default previous CRS versions.  In CRS v2, however, we were able to use them 
as part of collaborative detection.  These rules will *only* be run if a previously 
matched, stronger sqli rule has matched.

This regular expression is checking for a character class and any of the meta-characters 
in the brackets [...] will match.  The backslashes are used to tell the pcre engine to not 
interpret these as actual meta-characters but to just look for the character itself in the 
input.

> What's the meaning of "\%" in a regex?
> 

As stated above - this means to look for a percentage sign.

-Ryan

> SecRule MATCHED_VAR "(?:[\\\(\)\%#]|--)"
>         
> "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.cr
> itical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}
> ,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
> 
> ---------------------------------------------------------------------------
> --- ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html