Re: [Mod-security-developers] Question about some rules
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] Question about some rules
|
From: Josh Amishav-Z. <ja...@gm...> - 2012-03-07 13:57:53
|
On Wed, Mar 7, 2012 at 3:23 PM, Pavel Mateja <pa...@ne...> wrote: > > I had to modify them slightly: > > rule 981243: > -..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d).. > -..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d).. > > rule 981244: > -..\s*x?or|div|like|between|and[\w\s-]+.. > +..\s*x?(or|div|like|between|and)[\w\s-]+.. > > rule 981248: > -..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+]).. > +..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+]).. > > Or am I missing something? > Hi Pavel, The string 'like' is included to help protect against SQLi attacks. In your case its obviously a false positive. Having said that, customizing the CRS itself will make upgrading the ruleset more difficult. It's probably a better idea to maintain a list of exceptions instead. Take a look at: http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html -- - Josh > -- > Pavel Mateja > > > ------------------------------------------------------------------------------ > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
