Hi Ken, The regex is: ,.*?[)\da-f\"'`][\"'`][^\"'`]+ from: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.1/dev/util/regexp-assemble/regexp-942200.data#L3
What exactly matches from your quote is: , "to be, or not to be". , from regex matches , .*? from regex matches "to be, or not to b [)\da-f\"'`] from regex matches e [\"'`] from regex matches " [^\"'`]+ from regex matches . The following sentence would not match, because of the x instead of the e: To quote William Shakespeare, "to be, or not to bx". These are short examples which also match: ,"". ,2". ,a". I have to admit that I don't have the expertise to fully understand the sql injection covered with it. The message of the rule is: msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination'. The whole source of the rule is: ,.*?[)\da-f\"'`][\"'`][\"'`].*?[\"'`] ,.*?[)\da-f\"'`][\"'`]\Z ,.*?[)\da-f\"'`][\"'`][^\"'`]+ \Wselect.+\W*?from select\s*?\(\s*?space\s*?\( create\s*?\(\s*?space\s*?\( rename\s*?\(\s*?space\s*?\( truncate\s*?\(\s*?space\s*?\( load\s*?\(\s*?space\s*?\( alter\s*?\(\s*?space\s*?\( delete\s*?\(\s*?space\s*?\( update\s*?\(\s*?space\s*?\( insert\s*?\(\s*?space\s*?\( desc\s*?\(\s*?space\s*?\( I don't see any checks for comment obfuscated injections here. We have other rules which check for comments, for example: 942440. I am also not sure if these checks for literally "spaces" are originally intended? I think this example shows us that we need to revise the sqli rules as a whole. The rule is already on PL2 because of reported false positives. In the meantime, I think might be considering moving the third or maybe the first three lines of the source file to a stricter sibling on PL3, or we are waiting for the revision of the sqli rules. Franziska _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set