Hello Marco, Truth be told, ModSecurity and especially the Core Rules are not very good at handling UTF8. Basic support is there, but it is really quite limited and the Core Rules bring you a lot of false positives with UTF-8 encoded requests.
This might be less the case with the upcoming Core Rules 3 release, but I would not be surprised if that would continue to be a weak spot. The rule in question has been updated for Core Rules 3.0. It has the number 942330 now. The regex is now "(?i:(?:[\"'`]\s*?(x?or|div|like|between|and)\s*?[\"'`]?\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`]$)|(?:(?:^[\"'`\\\\]*?(?:[\d\"'`]+|[^\"'`]+[\"'`]))+\s*?(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s*?[\w\"'`][+&!@(),.-])|(?:[^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w)|(?:@\w+\s+(and|x?or|div|like|between|and)\s*?[\"'`\d]+)|(?:@[\w-]+\s(and|x?or|div|like|between|and)\s*?[^\w\s])|(?:[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`].)|(?:\Winformation_schema|table_name\W))" Would you be so kind and give this a shot. If you still get a false positive, when we need to open an issue on github and tag it with false positive. Sorry for the inconvenience (and the delay with responding). Ahoj, Christian On Tue, Aug 16, 2016 at 02:43:52PM +0200, Marco Wagner wrote: > Hi @ all, > > I have a question you can read on stackoverflow regarding false > positives when greek or russian characters are used in the requests > of our web services. > > http://stackoverflow.com/questions/38974102/modsecurity-owasp-core-rule-set-unicode-false-positive > > > Would love to hear from you. > > PS: I subscribed to the list a few minutes ago, I also confirmed my email. > > Best regards, > Marco Wagner > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
