[Owasp-modsecurity-core-rule-set] Rule 950901 - Many false positives [v2.0.8]

Paul Rosenbusch pr at batix.com
Thu Nov 4 06:20:45 EDT 2010


Hi,

could someone check Rule 950901? It leads to many false positives on standard text with single quotes and "or".
Maybe this rule should be moved to paranoid setting, as it leads to SQLi scores of 20-40 on spam posts.
I can also send a sample text, but I preferred to exclude the spam from this mail.

Kind Regards

Paul
----
base_rules/modsecurity_crs_41_sql_injection_attacks.conf
id:'950901'

SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\b(\d+) ?(?:=|<>|<=>|<|>|!=) ?\1\b|[\'\"\`\´\'\'](\d+)[\'\"\`\´\'\'] ?(?:=|<>|<=>|<|>|!=) ?[\'\"\`\´\'\']\2\b|[\'\"\`\´\'\'](\w+)[\'\"\`\´\'\'] ?(?:=|<>|<=>|<|>|!=) ?[\'\"\`\´\'\']\3\b|[\'\"\;\`\´\'\']*\s+or\s+[\s\'\"\`\´\'\']*\w+[\s\'\"\`\´\'\']*[=<>!]*[\s\'\"\`\´\'\']*\w+[\s\'\"\`\´\'\']*" \
"phase:2,rev:'2.0.8',capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'950901',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"


More information about the Owasp-modsecurity-core-rule-set mailing list