Re: [mod-security-users] Help w/ PCRE for ARGS and ARGS_NAME
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Help w/ PCRE for ARGS and ARGS_NAME
|
From: Achim H. <web...@si...> - 2015-03-26 08:40:03
|
Hi Neha,
the rule complains 'cause it detects more than 4 " (double quote), see
the {4,} at end of the regex.
You have to increase the number of allowed ".
I'd suggest to copy the rule twice, then remove the " in first copy and
reduce the second copy to " itself and give it a proper count.
Example for the second copy
(".*?){23,}
Then also don't forget to disable the original rule (i.e. RemovebyId).
Hope this helps
Achim
On 26.03.2015 04:20, Neha Chriss wrote:
> Pattern match
> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
> at ARGS_NAMES:{"data":{"description":"Foo
> Bar","ids":["8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888"]}}.
> [file
> "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly
> Detection Alert - Total # of special characters exceeded"] [data "Matched
> Data: \x22 found within
> ARGS_NAMES:{\x22data\x22:{\x22description\x22:\x22Foo
|
