[Owasp-modsecurity-core-rule-set] a question about rules 981173 as an example (and others alike)

Tzury Bar Yochay tzury.by at reguluslabs.com
Mon Dec 19 15:05:23 UTC 2011


The rule is as follows:

SecRule ARGS_NAMES|ARGS|XML:/*
"([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*){4,}"
"phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2.2.2',msg:'Restricted
SQL Character Anomaly Detection Alert - Total # of special characters
exceeded',capture,logdata:'%{tx.1}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"

This seemed should match request such as /?a=<script>

Question is, is this by design?
Shall I enable by default such restricting rules?
Should there I expect legitimate user input escaped somehow differently?



------8<------ my pcre matching test case below ------8<------

Lua 5.1.4  Copyright (C) 1994-2008 Lua.org, PUC-Rio
> require "rex_pcre"
> return rex_pcre.new([====[([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*){4,}]====]):exec("<script>")
1       14      table: 0x907d80


More information about the Owasp-modsecurity-core-rule-set mailing list