[Owasp-modsecurity-core-rule-set] Rule 950901 - Many false positives [v2.0.8]

Paul Rosenbusch Thu, 04 Nov 2010 03:21:03 -0700

Hi,

could someone check Rule 950901? It leads to many false positives on standard 
text with single quotes and "or".
Maybe this rule should be moved to paranoid setting, as it leads to SQLi scores 
of 20-40 on spam posts.
I can also send a sample text, but I preferred to exclude the spam from this 
mail.


Kind Regards

Paul
----
base_rules/modsecurity_crs_41_sql_injection_attacks.conf
id:'950901'

SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\b(\d+) ?(?:=|<>|<=>|<|>|!=) 
?\1\b|[\'\"\`\´\'\'](\d+)[\'\"\`\´\'\'] ?(?:=|<>|<=>|<|>|!=) 
?[\'\"\`\´\'\']\2\b|[\'\"\`\´\'\'](\w+)[\'\"\`\´\'\'] ?(?:=|<>|<=>|<|>|!=) 
?[\'\"\`\´\'\']\3\b|[\'\"\;\`\´\'\']*\s+or\s+[\s\'\"\`\´\'\']*\w+[\s\'\"\`\´\'\']*[=<>!]*[\s\'\"\`\´\'\']*\w+[\s\'\"\`\´\'\']*"
 \
"phase:2,rev:'2.0.8',capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL
 Injection 
Attack',id:'950901',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

[Owasp-modsecurity-core-rule-set] Rule 950901 - Many false positives [v2.0.8]

Reply via email to