Me too - I'm seeing 981248 and 981173 trigger on cookies containing "7or" and "8Or" (ie "8or"). Sounds like there's a bunch of rules that are triggering on 3-char matches - that is waaaaay too small - the FP rate is guaranteed to be large!
(I just joined today and the very first email I see is about the very problem I just joined the list about. Freaky) Jason On 17/08/11 15:34, Paul McGarry wrote: > > Hi all, > > I am seeing quite a lot of false positives on SQL injection errors. > > On of them is rule 981242 which is objecting to a cookie: > test=asfnsdh2fub9tl6gt0mand504 > with the regex: > (\"|'|`|´|’|‘)\s*x?or|div|like|between|and\s*(\"|'|`|´|’|‘)?\d > matching on "and5" > > 1) Is the regex missing some grouping? > As written it seems that (x)or is being treated differently than > div/like/between/and, ie the (x)or case requires one of the quote > characters before it while the others don't. > Should that part of the regex be: > (\"|'|`|´|’|‘)\s*(?:x?or|div|like|between|and)\s*(\"|'|`|´|’|‘)?\d > > 2) Should "and" being followed directly by a number, without space or > a quote, be a match? > On my SQL server (Postgres) I think "and5" would be a syntax error (as > opposed to "and'5" or "and 5" > Would: > (\"|'|`|´|’|‘)\s*(?:x?or|div|like|between|and)(?:(\"|'|`|´|’|‘)|\s+(\"|'|`|´|’|‘)?)\d > be a tighter match? > > Paul > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
