Re: [Mod-security-developers] Question about some rules
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] Question about some rules
|
From: Ryan B. <RBa...@tr...> - 2012-03-07 14:50:52
|
Pavel, You are correct. I was just looking at this regexs myself and found the same issue. Since the ) was missing, it wasn't grouping properly. I will fix this issue. As a side note - this is an OWASP ModSecurity CRS issue and we have a separate mail-list for that - https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set Thanks. ModSecurity-- Ryan Barnett Trustwave SpiderLabsModSecurity Project Leader OWASP ModSecurity CRS Project Leader On 3/7/12 8:23 AM, "Pavel Mateja" <pa...@ne...> wrote: >Hi, >I got lot of false positives on modsecurity-crs_2.2.3 rules 981243, >981244 and >981248. >They were catching "like" where I think they should not. > >Example: >Parameter: passcode=boomlike >Result: >..[id "981243"] [msg "Detects classic SQL injection probings 2/2"] [data >"like"] [severity "CRITICAL"].. >..[id "981244"] [msg "Detects basic SQL authentication bypass attempts >1/3"] >[data "like"] [severity "CRITICAL"].. >..[id "981248"] [msg "Detects chained SQL injection attempts 1/2"] [data >"like"] [severity "CRITICAL"].. > >I had to modify them slightly: > >rule 981243: >-..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d).. >-..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d).. > >rule 981244: >-..\s*x?or|div|like|between|and[\w\s-]+.. >+..\s*x?(or|div|like|between|and)[\w\s-]+.. > >rule 981248: >-..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+]).. >+..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+]).. > >Or am I missing something? >-- >Pavel Mateja > >-------------------------------------------------------------------------- >---- >Virtualization & Cloud Management Using Capacity Planning >Cloud computing makes use of virtualization - but cloud computing >also focuses on allowing computing to be delivered as a service. >http://www.accelacomm.com/jaw/sfnl/114/51521223/ >_______________________________________________ >mod-security-developers mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-developers >ModSecurity Services from Trustwave's SpiderLabs: >https://www.trustwave.com/spiderLabs.php > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
