-
-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False Positive with "Union von" rule id 942190 #2047
Comments
Can you share how you fix this false positive? I submit a similar false positive #2044 but didn't get any response. I'd like to fix it by myself if possible. |
I will solve the false positive by expanding the regex so that it matches less aggressively. Using the example of This will reduce the number of false positives, but unfortunately we may also introduce poorer coverage and possible false negatives. In this case, in this old commit, we moved the two keywords UNION and ALTER to a strict sibling at paranoia level 2. To still have the coverage at a higher paranoia level. A fix, a pull request, would be very welcome. Please let us know if we can help. |
We'll get to #2044 in due time. Sorry for taking so long, but it's a lot of issues... |
We talked about this in the April issue chat. Given the PR #2058 is on good tracks, we close this issue in favor of the PR. |
Description
We already fixed false positives with the sql keyword "union". This is a new one:
Reproduce:
curl -X POST -d 'test=Die "Union von Europa"' localhost
Audit Logs / Triggered Rule Numbers
Rule ID 942190:
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
I can have a look at this, but wanted to document it here so that I don't forget it.
The text was updated successfully, but these errors were encountered: