Jim Riggs <apache-lists@...> writes: > > On Jan 25, 2011, at 9:57 AM, Josh Gee wrote: > > > This SQL Injection rule is causing me serious headaches. It has a lot > > of false positives, and it always matches twice, once with the case it > > finds, and once after it lower-cases the values. This makes it very > > hard to write an exception for. > > > > It seems to be so crude as to match the word "and" in just about any > > context that includes white space. It matches in filenames (which is > > not too bad), URLs, and even standard HTML form values. > > > > For now I've commented it out completely because in Anomaly Scoring mode > > I couldn't manage to write an exception that would turn it off. > > > > Any ideas for a better solution? > > We have had some major issues with this one too and had to disable it. Can you not just do a `SecRuleRemoveById > 950901' in your 48 local exceptions file? That's what I did, and I believe it to be working. >
Is mod_security supposed to match rules twice? I'm having a similar problem to the above, where the same rule matches twice -- once in original case and then in lower case. The rule has t:lower. My understanding is that the input should be transformed to lowercase and then the rule run against that. The double matching is doubling the anomaly score and causing false positives. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
