Re: [Mod-security-developers] Question about some rules
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] Question about some rules
|
From: Pavel M. <pa...@ne...> - 2012-03-07 14:33:23
|
> On Wed, Mar 7, 2012 at 3:23 PM, Pavel Mateja <pa...@ne...> wrote: > > I had to modify them slightly: > > > > rule 981243: > > -..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d).. > > -..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d).. > > > > rule 981244: > > -..\s*x?or|div|like|between|and[\w\s-]+.. > > +..\s*x?(or|div|like|between|and)[\w\s-]+.. > > > > rule 981248: > > -..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+]).. > > +..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+]).. > > > > Or am I missing something? > > Hi Pavel, > > The string 'like' is included to help protect against SQLi attacks. In your > case its obviously a false positive. Having said that, customizing the CRS > itself will make upgrading the ruleset more difficult. It's probably a > better idea to maintain a list of exceptions instead. Take a look at: > http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-e > xception-handling.html OK, let's talk about part of the rule 981248: (?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+]) I think this one is for catching strings similar to: "5 like 8+" but the rule is positive on any words containing "like" because "|" has not as high priority as author thought it has. The "\s*\d+\s*[\-+]" part is tied to "(x)or" only and "\s*\d+\s*[\-+]" part is tied to "and" only. It's not customizing, it's fixing broken rules from my point of view. -- Pavel Mateja |
