Re: [Owasp-modsecurity-core-rule-set] a question about rules 981173 as an example (and others alike)

Mon, 19 Dec 2011 14:29:09 -0800 

The purpose of that rule is to identify repeated meta characters in a row (at 
least 4).  We developed this rule based on analysis of evasion methods of basic 
filters.

The example you gave did he 2 meta characters (< and >) however they were 
repetitive.

Ryan

On Dec 19, 2011, at 10:12 AM, "Tzury Bar Yochay" <tzury...@reguluslabs.com> 
wrote:

> The rule is as follows:
>
> SecRule ARGS_NAMES|ARGS|XML:/*
> "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*){4,}"
> "phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2.2.2',msg:'Restricted
> SQL Character Anomaly Detection Alert - Total # of special characters
> exceeded',capture,logdata:'%{tx.1}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
>
> This seemed should match request such as /?a=&lt;script&gt;
>
> Question is, is this by design?
> Shall I enable by default such restricting rules?
> Should there I expect legitimate user input escaped somehow differently?
>
>
>
> ------8<------ my pcre matching test case below ------8<------
>
> Lua 5.1.4  Copyright (C) 1994-2008 Lua.org, PUC-Rio
>> require "rex_pcre"
>> return 
>> rex_pcre.new([====[([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*){4,}]====]):exec("&lt;script&gt;")
> 1       14      table: 0x907d80
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

This transmission may contain information that is privileged, confidential, 
and/or exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution, 
or use of the information contained herein (including any reliance thereon) is 
STRICTLY PROHIBITED. If you received this transmission in error, please 
immediately contact the sender and destroy the material in its entirety, 
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to