[Mod-security-developers] Question about some rules
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[Mod-security-developers] Question about some rules
|
From: Pavel M. <pa...@ne...> - 2012-03-07 13:50:10
|
Hi, I got lot of false positives on modsecurity-crs_2.2.3 rules 981243, 981244 and 981248. They were catching "like" where I think they should not. Example: Parameter: passcode=boomlike Result: ..[id "981243"] [msg "Detects classic SQL injection probings 2/2"] [data "like"] [severity "CRITICAL"].. ..[id "981244"] [msg "Detects basic SQL authentication bypass attempts 1/3"] [data "like"] [severity "CRITICAL"].. ..[id "981248"] [msg "Detects chained SQL injection attempts 1/2"] [data "like"] [severity "CRITICAL"].. I had to modify them slightly: rule 981243: -..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d).. -..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d).. rule 981244: -..\s*x?or|div|like|between|and[\w\s-]+.. +..\s*x?(or|div|like|between|and)[\w\s-]+.. rule 981248: -..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+]).. +..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+]).. Or am I missing something? -- Pavel Mateja |
