Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

Commit

Permalink
Drop unneeded capture groups
Browse files Browse the repository at this point in the history 
This covers all but 3 of the remaining offenders.  Minor style
changes while here.
  • Loading branch information
@fgsch
fgsch committed Jun 12, 2018
1 parent 2d3efa2 commit 652d862
Show file tree
Hide file tree
Showing 8 changed files with 39 additions and 39 deletions.
4 changes: 2 additions & 2 deletions rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
View file
Expand Up @@ -454,7 +454,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?:application\/x-www-form-urlencoded
ver:'OWASP_CRS/3.0.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_BODY|XML:/* "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
SecRule REQUEST_BODY|XML:/* "@rx \%(?:(?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
"chain"
SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" \
"setvar:'tx.msg=%{rule.msg}',\
Expand Down Expand Up @@ -1194,7 +1194,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"


SecRule ARGS "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
SecRule ARGS "@rx \%(?:(?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
"id:920230,\
phase:2,\
block,\
Expand Down
2 changes: 1 addition & 1 deletion rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
View file
Expand Up @@ -401,7 +401,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
# Regexp generated from util/regexp-assemble/regexp-932140.data using Regexp::Assemble.
# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:if(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==))|for(/[dflr].*)* %+[^ ]+ in\(.*\)\s?do)" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:if(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==))|for(?:/[dflr].*)* %+[^ ]+ in\(.*\)\s?do)" \
"id:932140,\
phase:2,\
block,\
Expand Down
10 changes: 5 additions & 5 deletions rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
View file
Expand Up @@ -291,7 +291,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
# Ref: http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
# Ref: http://xss.cx/examples/ie/internet-exploror-ie9-xss-filter-rules-example-regexp-mshtmldll.txt
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<style.*?>.*?(?:@[i\\\\]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\\\\]|&#x?0*(?:40|28|92|5C);?)))" \
"id:941190,\
phase:2,\
block,\
Expand Down Expand Up @@ -347,7 +347,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \
"id:941210,\
phase:2,\
block,\
Expand Down Expand Up @@ -375,7 +375,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:[\t]|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \
"id:941220,\
phase:2,\
block,\
Expand Down Expand Up @@ -459,7 +459,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"\'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" \
"id:941250,\
phase:2,\
block,\
Expand Down Expand Up @@ -848,7 +848,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"\'][ ]*(([^a-z0-9~_:\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"\'][ ]*(?:[^a-z0-9~_:\' ]|in).*?(?:(?:l|\\\\u006C)(?:o|\\\\u006F)(?:c|\\\\u0063)(?:a|\\\\u0061)(?:t|\\\\u0074)(?:i|\\\\u0069)(?:o|\\\\u006F)(?:n|\\\\u006E)|(?:n|\\\\u006E)(?:a|\\\\u0061)(?:m|\\\\u006D)(?:e|\\\\u0065)|(?:o|\\\\u006F)(?:n|\\\\u006E)(?:e|\\\\u0065)(?:r|\\\\u0072)(?:r|\\\\u0072)(?:o|\\\\u006F)(?:r|\\\\u0072)|(?:v|\\\\u0076)(?:a|\\\\u0061)(?:l|\\\\u006C)(?:u|\\\\u0075)(?:e|\\\\u0065)(?:O|\\\\u004F)(?:f|\\\\u0066)).*?=)" \
"id:941330,\
phase:2,\
block,\
Expand Down
16 changes: 8 additions & 8 deletions rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
View file
Expand Up @@ -222,7 +222,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\s()]case\s*?\()|(?:\)\s*?like\s*?\()|(?:having\s*?[^\s]+\s*?[^\w\s])|(?:if\s?\([\d\w]\s*?[=<>~]))" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s()]case\s*?\(|\)\s*?like\s*?\(|having\s*?[^\s]+\s*?[^\w\s]|if\s?\([\d\w]\s*?[=<>~])" \
"id:942230,\
phase:2,\
block,\
Expand Down Expand Up @@ -280,7 +280,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:merge.*?using\s*?\()|(execute\s*?immediate\s*?[\"'`])|(?:match\s*?[\w(),+-]+\s*?against\s*?\())" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:merge.*?using\s*?\(|execute\s*?immediate\s*?[\"'`]|match\s*?[\w(),+-]+\s*?against\s*?\()" \
"id:942250,\
phase:2,\
block,\
Expand All @@ -305,7 +305,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(union(.*?)select(.*?)from)))" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:)union.*?select.*?from" \
"id:942270,\
phase:2,\
block,\
Expand Down Expand Up @@ -513,7 +513,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,skipAfter:END-RE
# Identifies common initial SQLi probing requests where attackers insert/append
# quote characters to the existing normal payload to see how the app/db responds.
#
SecRule ARGS_NAMES|ARGS|XML:/* "@rx (^\s*[\"'`;]+|[\"'`]+\s*$)" \
SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$)" \
"id:942110,\
phase:2,\
block,\
Expand Down Expand Up @@ -587,9 +587,9 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\
# ./regexp-assemble.pl regexp-942130.data
# Note that after assemble an outer bracket with an ignore case flag is added
# to the Regexp::Assemble output:
# (?i:ASSEMBLE_OUTPUT)
# (?i)ASSEMBLE_OUTPUT
#
SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)(?:<(?:=(?:([\s'\"`\(\)]*?)(?!\2)([\d\w]+)|>([\s'\"`\(\)]*?)(?:\2))|>?([\s'\"`\(\)]*?)(?!\2)([\d\w]+))|(?:not\s+(?:regexp|like)|is\s+not|>=?|!=|\^)([\s'\"`\(\)]*?)(?!\2)([\d\w]+)|(?:(?:sounds\s+)?like|r(?:egexp|like)|=)([\s'\"`\(\)]*?)(?:\2)))" \
SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?(?:<(?:=(?:[\s'\"`\(\)]*?(?!\1)[\d\w]+|>[\s'\"`\(\)]*?(?:\1))|>?[\s'\"`\(\)]*?(?!\1)[\d\w]+)|(?:not\s+(?:regexp|like)|is\s+not|>=?|!=|\^)[\s'\"`\(\)]*?(?!\1)[\d\w]+|(?:(?:sounds\s+)?like|r(?:egexp|like)|=)[\s'\"`\(\)]*?(?:\1))" \
"id:942130,\
phase:2,\
block,\
Expand Down Expand Up @@ -666,7 +666,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
# to the Regexp::Assemble output:
# (?i:ASSEMBLE_OUTPUT)
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:\s*?(?:(?:between|x?or|and|div)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]|like(?:[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]|\W+[\w\"'`(])|[!=|](?:[\d\s!=+-]+.*?[\"'`(].*?|[\d\s!=]+.*?\d+)$|[^\w\s]?=\s*?[\"'`])|(?:\W*?[+=]+\W*?|[<>~]+)[\"'`])|(\/\*)+[\"'`]+\s?(?:\/\*|--|\{|#)?|\d[\"'`]\s+[\"'`]\s+\d|where\s[\s\w\.,-]+\s=|^admin\s*?[\"'`]|\sis\s*?0\W))" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"'`](?:\s*?(?:(?:between|x?or|and|div)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]|like(?:[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]|\W+[\w\"'`(])|[!=|](?:[\d\s!=+-]+.*?[\"'`(].*?|[\d\s!=]+.*?\d+)$|[^\w\s]?=\s*?[\"'`])|(?:\W*?[+=]+\W*?|[<>~]+)[\"'`])|(?:/\*)+[\"'`]+\s?(?:\/\*|--|\{|#)?|\d[\"'`]\s+[\"'`]\s+\d|where\s[\s\w\.,-]+\s=|^admin\s*?[\"'`]|\sis\s*?0\W)" \
"id:942180,\
phase:2,\
block,\
Expand Down Expand Up @@ -1293,7 +1293,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\
# 0/**/union/*!50000select*/table_name`foo`/**/
# -------------------------
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (/\*!?|\*/|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00)" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:/\*!?|\*/|[';]--|--[\s\r\n\v\f]|--[^-]*?-|[^\-&]#.*?[\s\r\n\v\f]|;?\\x00)" \
"id:942440,\
phase:2,\
block,\
Expand Down
2 changes: 1 addition & 1 deletion rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
View file
Expand Up @@ -412,7 +412,7 @@ SecRule TX:sql_error_match "@eq 1" \
ver:'OWASP_CRS/3.0.0',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::([a-zA-Z]*)Error|Supplied argument is not a valid PostgreSQL (?:.*?) resource|Unable to connect to PostgreSQL server)" \
SecRule RESPONSE_BODY "@rx (?i)(?:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::[a-zA-Z]*Error|Supplied argument is not a valid PostgreSQL (?:.*?) resource|Unable to connect to PostgreSQL server)" \
"capture,\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.outbound_anomaly_score=+%{tx.critical_anomaly_score}',\
Expand Down
2 changes: 1 addition & 1 deletion util/regexp-assemble/regexp-932140.data
View file
@@ -1,2 +1,2 @@
\bfor(/[dflr].*)* %+[^ ]+ in\(.*\)\s?do
\bfor(?:/[dflr].*)* %+[^ ]+ in\(.*\)\s?do
\bif(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==))
32 changes: 16 additions & 16 deletions util/regexp-assemble/regexp-942130.data
View file
@@ -1,16 +1,16 @@
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)=([\s'\"`\(\)]*?)(?:\2)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)<=>([\s'\"`\(\)]*?)(?:\2)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)like([\s'\"`\(\)]*?)(?:\2)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)rlike([\s'\"`\(\)]*?)(?:\2)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)sounds\s+like([\s'\"`\(\)]*?)(?:\2)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)regexp([\s'\"`\(\)]*?)(?:\2)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)!=([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)<=([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)>=([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)<>([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)<([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)>([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)\^([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)is\s+not([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)not\s+like([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)not\s+regexp([\s'\"`\(\)]*?)(?!\2)([\d\w]+)
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?=[\s'\"`\(\)]*?(?:\1)
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?<=>[\s'\"`\(\)]*?(?:\1)
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?like[\s'\"`\(\)]*?(?:\1)
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?rlike[\s'\"`\(\)]*?(?:\1)
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?sounds\s+like[\s'\"`\(\)]*?(?:\1)
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?regexp[\s'\"`\(\)]*?(?:\1)
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?!=[\s'\"`\(\)]*?(?!\1)[\d\w]+
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?<=[\s'\"`\(\)]*?(?!\1)[\d\w]+
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?>=[\s'\"`\(\)]*?(?!\1)[\d\w]+
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?<>[\s'\"`\(\)]*?(?!\1)[\d\w]+
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?<[\s'\"`\(\)]*?(?!\1)[\d\w]+
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?>[\s'\"`\(\)]*?(?!\1)[\d\w]+
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?\^[\s'\"`\(\)]*?(?!\1)[\d\w]+
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?is\s+not[\s'\"`\(\)]*?(?!\1)[\d\w]+
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?not\s+like[\s'\"`\(\)]*?(?!\1)[\d\w]+
[\s'\"`\(\)]*?([\d\w]++)[\s'\"`\(\)]*?not\s+regexp[\s'\"`\(\)]*?(?!\1)[\d\w]+
10 changes: 5 additions & 5 deletions util/regexp-assemble/regexp-942180.data
View file
@@ -1,10 +1,10 @@
\d[\"'`]\s+[\"'`]\s+\d
^admin\s*?[\"'`]
(\/\*)+[\"'`]+\s?
(\/\*)+[\"'`]+\s?--
(\/\*)+[\"'`]+\s?#
(\/\*)+[\"'`]+\s?\/\*
(\/\*)+[\"'`]+\s?{
(?:/\*)+[\"'`]+\s?
(?:/\*)+[\"'`]+\s?--
(?:/\*)+[\"'`]+\s?#
(?:/\*)+[\"'`]+\s?/\*
(?:/\*)+[\"'`]+\s?{
[\"'`]\s*?or[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]
[\"'`]\s*?xor[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]
[\"'`]\s*?div[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]
Expand Down

0 comments on commit 652d862

Please sign in to comment.