From 9ec2a6561903d8178c4d1cccada3a352439185d8 Mon Sep 17 00:00:00 2001 From: Allan Boll Date: Sat, 25 Jan 2020 01:50:51 +0000 Subject: [PATCH 1/3] Avoid embedded anchors in CRS rule 942330 --- .../REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 2 +- util/regexp-assemble/regexp-942330.data | 44 +++++++++---------- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 725e21847..8b7b7e10e 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -898,7 +898,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # to the Regexp::Assemble output: # (?i:ASSEMBLE_OUTPUT) # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+|(?:^[\"'`\\\\]*?[\d\"'`]+)+)\s*?(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s*?[\w\"'`][+&!@(),.-]|\@(?:[\w-]+\s(?:between|like|x?or|and|div)\s*?[^\w\s]|\w+\s+(?:between|like|x?or|and|div)\s*?[\"'`\d]+)|[\"'`]\s*?(?:between|like|x?or|and|div)\s*?[\"'`]?\d|[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`].|[^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w|\Winformation_schema|\\\\x(?:23|27|3d)|table_name\W|^.?[\"'`]$))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:^(?:[\"'`\\\\]*?(?:[^\"'`]+[\"'`]|[\d\"'`]+)\s*?(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s*?[\w\"'`][+&!@(),.-]|.?[\"'`]$)|\@(?:[\w-]+\s(?:between|like|x?or|and|div)\s*?[^\w\s]|\w+\s+(?:between|like|x?or|and|div)\s*?[\"'`\d]+)|[\"'`]\s*?(?:between|like|x?or|and|div)\s*?[\"'`]?\d|[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`].|[^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w|\Winformation_schema|\\\\x(?:23|27|3d)|table_name\W))" \ "id:942330,\ phase:2,\ block,\ diff --git a/util/regexp-assemble/regexp-942330.data b/util/regexp-assemble/regexp-942330.data index 1e9498404..222ca2dd5 100644 --- a/util/regexp-assemble/regexp-942330.data +++ b/util/regexp-assemble/regexp-942330.data @@ -6,28 +6,28 @@ [\"'`]\s*?and\s*?[\"'`]?\d \\\\x(?:23|27|3d) ^.?[\"'`]$ -(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?and\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?nand\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?or\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?xor\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?xxor\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?div\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?like\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?between\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?not\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?\|\|\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[\d\"'`]+)+\s*?\&\&\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?and\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?nand\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?or\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?xor\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?xxor\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?div\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?like\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?between\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?not\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?\|\|\s*?[\w\"'`][+&!@(),.-] -(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+\s*?\&\&\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?and\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?nand\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?or\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?xor\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?xxor\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?div\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?like\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?between\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?not\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?\|\|\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[\d\"'`]+\s*?\&\&\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?and\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?nand\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?or\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?xor\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?xxor\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?div\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?like\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?between\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?not\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?\|\|\s*?[\w\"'`][+&!@(),.-] +^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?\&\&\s*?[\w\"'`][+&!@(),.-] [^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w @\w+\s+and\s*?[\"'`\d]+ @\w+\s+or\s*?[\"'`\d]+ From 12b5cf0ef6d4ca1cb65b6e07dc432561d2c2314b Mon Sep 17 00:00:00 2001 From: Allan Boll Date: Sat, 25 Jan 2020 02:23:36 +0000 Subject: [PATCH 2/3] trying to retrigger travis --- rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 8b7b7e10e..c59c9d1a3 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1737,3 +1737,4 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-942-APPLICATION-ATTACK-SQLI" + From 935db629462844c9abf67caa14d3e47f112f19c0 Mon Sep 17 00:00:00 2001 From: Allan Boll Date: Sat, 25 Jan 2020 02:23:47 +0000 Subject: [PATCH 3/3] trying to retrigger travis --- rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index c59c9d1a3..8b7b7e10e 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1737,4 +1737,3 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-942-APPLICATION-ATTACK-SQLI" -