Re: [Mod-security-rules] Rule 950901 needs to be more specific
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-rules] Rule 950901 needs to be more specific
|
From: Ryan B. <RBa...@tr...> - 2011-07-20 17:48:07
|
Benjamin, You will be happy to know that we just released CRS v2.2.1 and we have updated this SQL Injection Tautaology rule 950901 to be more accurate both from a false positive and negative perspective. Please test out the new CRS and let me know if it is working better for you. -Ryan On 7/2/11 8:14 PM, "Benjamin Flament" <ben...@ya...> wrote: >Hi > >I've been having some trouble with rule 950901, because it essentialy >matches any single sentence that includes an "and" or "or". The rule's >regex is currently as follows: > >\b(\d+) ?(?:=|<>|<=>|<|>|!=) ?\1\b|[\'\"\`\´\¹\Œ](\d+)[\'\"\`\´\¹\Œ] >?(?:=|<>|<=>|<|>|!=) ?[\'\"\`\´\¹\Œ]\2\b|[\'\"\`\´\Œ](\w+)[\'\"\`\´\¹\Œ] >?(?:=|<>|<=>|<|>|!=) >?[\'\"\`\´\¹\Œ]\3\b|([\'\"\;\`\´\¹\Œ]*)?\s+(and|or)\s+([\s\'\"\`\´\¹\Œ]*)? >\w+([\s\'\"\`\´\¹\Œ]*)?[=<>!]+([\s\'\"\`\´\¹\Œ]*)?\w+([\s\'\"\`\´\¹\Œ]*)? > > >I suggest changing the rule to: > >\b(\d+) ?(?:=|<>|<=>|<|>|!=) >?\1\b|[\'\"\`\´\¹\Œ](\d+)[\'\"\`\´\¹\Œ] >?(?:=|<>|<=>|<|>|!=) >?[\'\"\`\´\¹\Œ]\2\b|[\'\"\`\´\Œ](\w+)[\'\"\`\´\¹\Œ] >?(?:=|<>|<=>|<|>|!=) >?[\'\"\`\´\¹\Œ]\3\b|([\'\"\;\`\´\¹\Œ]*)?\s+(and|or)\s+([\s\'\"\`\´\¹\Œ]*)? >\w+([\s\'\"\`\´\¹\Œ]*)?(?:=|<>|<=>|<|>|!=)([\s\'\"\`\´\¹\Œ]*)?\w+([\s\'\"\ >`\´\¹\Œ]*)? > >As the operator list is not specific enough and matches any "and|or" >preceded with a space and followed by anything. > >Regards >Benjamin > > >-------------------------------------------------------------------------- >---- >All of the data generated in your IT infrastructure is seriously valuable. >Why? It contains a definitive record of application performance, security >threats, fraudulent activity, and more. Splunk takes this data and makes >sense of it. IT sense. And common sense. >http://p.sf.net/sfu/splunk-d2d-c2 >_______________________________________________ >Mod-security-rules mailing list >Mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-rules This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
