<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title></title>
    </head>
    <body>
        <p>
            Hello,<br />
            <br />
            I'm sorry to bring this up again, but my questions didn't get an answer, so I still thing these rules to be prone to false positives.<br />
            <br />
            As a new release of the rules is comming out soon, I though I should bring this up for discussion again.<br />
            <br />
            Shouldn't rules 950107, 950109 and 950108 be rewriten to be something more like this: "\%[0-9a-fA-F]{2}(?![0-9a-fA-F])|\%u[0-9a-fA-F]{4}(?![0-9a-fA-F])"? Like they are now, "%1" would match and, unless I missed the point on what the rules should do, this would be a false positive, am I right?<br />
            <br />
            Thanks and sorry for all the noise.<br />
            Luís Silva<br />
            <br />
            Quoting "Luís Silva" &lt;luis.silva@axiomasoft.pt&gt;:<br />
            <br />
            &gt; Hello,<br />
            &gt;<br />
            &gt; On Wed, 2010-09-08 at 10:16 -0500, Ryan Barnett wrote:<br />
            &gt;<br />
            &gt;&gt; On 9/8/10 10:44 AM, "Dirk Caspari" &lt;d.caspari@eurodata.de&gt; wrote:<br />
            &gt;&gt;<br />
            &gt;&gt; &gt; --411a3f76-B--<br />
            &gt;&gt; &gt; GET /src/read_body.php?mailbox=INBOX&amp;passed_id=81&amp;startMessage=1 HTTP/1.1<br />
            &gt;&gt; &gt; Host: xxx.xxxxxxxx.de<br />
            &gt;&gt; &gt; User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.9.2.3)<br />
            &gt;&gt; &gt; Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3<br />
            &gt;&gt; &gt; Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />
            &gt;&gt; &gt; Accept-Language: de-DE,de;q=0.8,de-de;q=0.6,en-us;q=0.4,en;q=0.2<br />
            &gt;&gt; &gt; Accept-Encoding: gzip,deflate<br />
            &gt;&gt; &gt; Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br />
            &gt;&gt; &gt; Keep-Alive: 115<br />
            &gt;&gt; &gt; Connection: keep-alive<br />
            &gt;&gt; &gt; Referer:<br />
            &gt;&gt; &gt;<br />
            &gt;&gt; <a href="https://xxx.xxxxxxxxx.de/src/right_main.php?PG_SHOWALL=0&amp;sort=0&amp;startMessage=1" target="_blank">https://xxx.xxxxxxxxx.de/src/right_main.php?PG_SHOWALL=0&amp;sort=0&amp;startMessage=1</a><br />
            &gt;&gt; &gt; &amp;mailbox=INBOX<br />
            &gt;&gt; &gt; Cookie: xxxxx<br />
            &gt;&gt; &gt;<br />
            &gt;&gt; &gt;<br />
            &gt;&gt; &gt; --411a3f76-H--<br />
            &gt;&gt; &gt; Message: Pattern match "\%(?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4}" at<br />
            &gt;&gt; &gt; ARGS:passed_id. [file<br />
            &gt;&gt; &gt;<br />
            &gt;&gt; "/etc/apache2/modsecurity/rules-enabled/modsecurity_crs_20_protocol_violations<br />
            &gt;&gt; &gt; .conf"]<br />
            &gt;&gt; &gt; [line "185"] [id "950109"] [rev "2.0.8"] [msg "Multiple URL Encoding<br />
            &gt;&gt; &gt; Detected"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/EVASION"]<br />
            &gt;&gt; &gt; Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score.<br />
            &gt;&gt; &gt; [file<br />
            &gt;&gt; &gt;<br />
            &gt;&gt; "/etc/apache2/modsecurity/rules-enabled/modsecurity_crs_60_correlation.conf"]<br />
            &gt;&gt; &gt; [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=,<br />
            &gt;&gt; &gt; XSS=): Multiple URL Encoding Detected !<br />
            &gt;&gt; &gt; %{matched_var_name}=%{matched_var} !"]<br />
            &gt;&gt; &gt;<br />
            &gt;&gt; &gt; Thanks.<br />
            &gt;&gt; &gt;&#160; &#160;D I R K<br />
            &gt;&gt; &gt;<br />
            &gt;&gt; &gt;<br />
            &gt;&gt; &gt;<br />
            &gt;&gt;<br />
            &gt;&gt; Hmm.. Looks like the previous version in SVN was missing the parentheses in<br />
            &gt;&gt; the RegEx.&#160; Use this latest version -<br />
            &gt;&gt;<br />
            &gt;&gt; <a href="http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_r" target="_blank">http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_r</a><br />
            &gt;&gt; ules/modsecurity_crs_20_protocol_violations.conf?revision=1535<br />
            &gt;&gt;<br />
            &gt;&gt;<br />
            &gt;<br />
            &gt; The regular expression in rules 950107, 950109 and 950108 shouldn't<br />
            &gt; instead be something like "\%[0-9a-fA-F]{2}(?![0-9a-fA-F])|\%<br />
            &gt; u[0-9a-fA-F]{4}(?![0-9a-fA-F])"?<br />
            &gt; The expression provided will still match for example "%1" and, unless I<br />
            &gt; missed the point on what the rules should do, this would be a false<br />
            &gt; positive.<br />
            &gt;<br />
            &gt;&gt;<br />
            &gt;&gt; _______________________________________________<br />
            &gt;&gt; Owasp-modsecurity-core-rule-set mailing list<br />
            &gt;&gt; Owasp-modsecurity-core-rule-set@lists.owasp.org<br />
            &gt;&gt; <a href="https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set</a><br />
            &gt;&gt;<br />
            &gt;<br />
            &gt; Thanks,<br />
            &gt; Luís<br />
            &gt;<br />
            <br />
            <br />
            ----------------------------------------------------------------<br />
            This message was sent using IMP, the Internet Messaging Program.<br />
        </p>
    </body>
</html>