The rule is as follows:
SecRule ARGS_NAMES|ARGS|XML:/*
"([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*){4,}"
"phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2.2.2',msg:'Restricted
SQL Character Anomaly Detection Alert - Total # of special characters
exceeded',capture,logdata:'%{tx.1}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
This seemed should match request such as /?a=<script>
Question is, is this by design?
Shall I enable by default such restricting rules?
Should there I expect legitimate user input escaped somehow differently?
------8<------ my pcre matching test case below ------8<------
Lua 5.1.4 Copyright (C) 1994-2008 Lua.org, PUC-Rio
> require "rex_pcre"
> return
> rex_pcre.new([====[([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*){4,}]====]):exec("<script>")
1 14 table: 0x907d80
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
