Ehsan, On Tue, Mar 07, 2017 at 09:43:39PM +0330, Ehsan Mahdavi wrote: > It does nothing > It doesn't increment any inbound scores > So if you use anomaly mechanism nothing will happen.
No, that is not correct. If you examine it, you will notice that the rule 951100 sets the variable sql_error_match. The remaining rules in the 951xxx group use this variable and link it to an information about the DBMS used by the backend. > On the other hand, sql-error.data file contains general terms like "error" > and "warning". If the rule works, it will generate tons of false positives. Again, this has to be seen in the light of the following rules. "Error" is not enough. It takes "Error" in combination with a string like "JET Database Engine". And if you have "Error" in combination with a DB engine, then I think it is a real positive and the response should be blocked. Did I convince you? If not, please explain where I make a mistake in my thinking. An example response with an error ignored by CRS (-> false negative) or a false positive would really help. Ahoj, Christian > > On Tuesday, March 7, 2017, Christian Folini <[email protected]> > wrote: > > > Hi there, > > > > Ooops. What is the problem? Here is the rule in question? > > > > SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \ > > "phase:response,\ > > id:951100,\ > > rev:'5',\ > > ver:'OWASP_CRS/3.0.0',\ > > pass,\ > > nolog,\ > > tag:'application-multi',\ > > tag:'language-multi',\ > > tag:'platform-multi',\ > > tag:'attack-disclosure',\ > > setvar:tx.sql_error_match=1,\ > > t:none" > > > > Is there something wrong with the mechanism or have you found an > > sql-error not being listed in the data file? The latter is very well > > possible and we would welcome submissions of additional error strings. > > > > Ahoj, > > > > Christian > > > > > > On Tue, Mar 07, 2017 at 06:57:29PM +0330, Ehsan Mahdavi wrote: > > > Hi All > > > Rule 951100 in CRS 3 is not working. > > > > > > be careful with that. > > > > > _______________________________________________ > > > Owasp-modsecurity-core-rule-set mailing list > > > [email protected] <javascript:;> > > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > [email protected] <javascript:;> > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > > > -- > regards > Ehsan.Mahdavi > PhD candidated for Computer Engineering > by Isfahan University of Technology > http://emahdavi.ece.iut.ac.ir/ _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
