Thanks for the feedback Paul. FYI - you can review some of the reference links at the top of the file to see some example payloads that we referenced while creating these rules -
# # References: # # SQL Injection Pocket Reference (via @LightOS) - # https://docs.google.com/Doc?docid=0AZNlBave77hiZGNjanptbV84Z25yaHJmMjk # # SQLi Filter Evasion Cheat Sheet - # http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysq l/ # # SQL Injection Cheat Sheet - # http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ # # SQLMap's Tamper Scripts (for evasions) # https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/ # For the specific rule you mentioned - 981242 - this is a converted phpids rule. You can review example test payloads that they use here - https://dev.itratos.de/projects/php-ids/repository/entry/trunk/tests/IDS/Mo nitorTest.php. Look for the public function testSQLIList() sections. In reviewing your recommendations, I agree with #1 and we should probably group the AND operator group together. This should fix the FP as it would require one of the leading quotes to be present. I will do this in the next CRS release. -Ryan On 8/16/11 11:34 PM, "Paul McGarry" <p...@paulmcgarry.com> wrote: >Hi all, > >I am seeing quite a lot of false positives on SQL injection errors. > >On of them is rule 981242 which is objecting to a cookie: >test=asfnsdh2fub9tl6gt0mand504 >with the regex: >(\"|'|`|´|¹|Œ)\s*x?or|div|like|between|and\s*(\"|'|`|´|¹|Œ)?\d >matching on "and5" > >1) Is the regex missing some grouping? >As written it seems that (x)or is being treated differently than >div/like/between/and, ie the (x)or case requires one of the quote >characters before it while the others don't. >Should that part of the regex be: >(\"|'|`|´|¹|Œ)\s*(?:x?or|div|like|between|and)\s*(\"|'|`|´|¹|Œ)?\d > >2) Should "and" being followed directly by a number, without space or >a quote, be a match? >On my SQL server (Postgres) I think "and5" would be a syntax error (as >opposed to "and'5" or "and 5" >Would: >(\"|'|`|´|¹|Œ)\s*(?:x?or|div|like|between|and)(?:(\"|'|`|´|¹|Œ)|\s+(\"|'|` >|´|¹|Œ)?)\d >be a tighter match? > >Paul >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >Owasp-modsecurity-core-rule-set@lists.owasp.org >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
