You could exclude checking of those cookies by putting the following in
modsecurity_crs_15_customrules.conf
SecRule REQUEST_HEADERS:Host "!@rx (^$)" \
"phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981242;!REQUEST_COOKIES:test"
Ive had the same problem with these rules in that they are very
sensitive indeed by necessary
The above rule works well in that rule 981242 is not disabled entirely
but simply ignores inspection of the named cookie.
On 17/08/11 04:34, Paul McGarry wrote:
Hi all,
I am seeing quite a lot of false positives on SQL injection errors.
On of them is rule 981242 which is objecting to a cookie:
test=asfnsdh2fub9tl6gt0mand504
with the regex:
(\"|'|`|´|’|‘)\s*x?or|div|like|between|and\s*(\"|'|`|´|’|‘)?\d
matching on "and5"
1) Is the regex missing some grouping?
As written it seems that (x)or is being treated differently than
div/like/between/and, ie the (x)or case requires one of the quote
characters before it while the others don't.
Should that part of the regex be:
(\"|'|`|´|’|‘)\s*(?:x?or|div|like|between|and)\s*(\"|'|`|´|’|‘)?\d
2) Should "and" being followed directly by a number, without space or
a quote, be a match?
On my SQL server (Postgres) I think "and5" would be a syntax error (as
opposed to "and'5" or "and 5"
Would:
(\"|'|`|´|’|‘)\s*(?:x?or|div|like|between|and)(?:(\"|'|`|´|’|‘)|\s+(\"|'|`|´|’|‘)?)\d
be a tighter match?
Paul
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
