Merge pull request #985 from emphazer/v3_942370_3.1/dev

Classic SQL injection probing rule split of rule 942370 (-> new rule 942490)

Author: dune73

rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf

@@ -851,6 +851,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
 
+#
+# -=[ SQL Injection Probings ]=-
+#
+# This is a group of three similar rules aiming to detect SQL injection probings.
+#
+# 942330 PL 2
+# 942370 PL 2
+# 942490 PL 3
 # Regexp generated from util/regexp-assemble/regexp-942330.data using Regexp::Assemble.
 # To rebuild the regexp:
 #   cd util/regexp-assemble
@@ -865,7 +873,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     block,\
     capture,\
     t:none,t:urlDecodeUni,\
-    msg:'Detects classic SQL injection probings 1/2',\
+    msg:'Detects classic SQL injection probings 1/3',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-multi',\
@@ -921,6 +929,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
 
+# This rule is a sibling of 942330. See that rule for a description and overview.
 # Regexp generated from util/regexp-assemble/regexp-942370.data using Regexp::Assemble.
 # To rebuild the regexp:
 #   cd util/regexp-assemble
@@ -929,13 +938,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # to the Regexp::Assemble output:
 #   (?i:ASSEMBLE_OUTPUT)
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:\s*?(?:(?:\*.+(?:(?:an|i)d|between|like|x?or|div)\W*?[\"'`]|(?:between|like|x?or|and|div)\s[^\d]+[\w-]+.*?)\d|[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`]|[^\w\s]+\s*?[\W\d].*?(?:--|#))|[\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d]|.*?\*\s*?\d)|^[\w\s\"'`-]+(?<=and\s)(?:(?<=between)|(?<=and\s)|(?<=like)|(?<=div)|(?<=xor)|(?<=or))(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\(|[()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,]|\^[\"'`]))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:\s*?(?:(?:\*.+(?:(?:an|i)d|between|like|x?or|div)\W*?[\"'`]|(?:between|like|x?or|and|div)\s[^\d]+[\w-]+.*?)\d|[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`]|[^\w\s]+\s*?[\W\d].*?(?:--|#))|.*?\*\s*?\d)|^[\w\s\"'`-]+(?<=and\s)(?:(?<=between)|(?<=and\s)|(?<=like)|(?<=div)|(?<=xor)|(?<=or))(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\(|[()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,]|\^[\"'`]))" \
     "id:942370,\
     phase:2,\
     block,\
     capture,\
     t:none,t:urlDecodeUni,\
-    msg:'Detects classic SQL injection probings 2/2',\
+    msg:'Detects classic SQL injection probings 2/3',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-multi',\
@@ -1336,6 +1345,41 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
 
+# This rule is a stricter sibling of 942330. See that rule for a description and overview.
+# Regexp generated from util/regexp-assemble/regexp-942490.data using Regexp::Assemble.
+# To rebuild the regexp:
+#   cd util/regexp-assemble
+#   ./regexp-assemble.pl regexp-942490.data
+# Note that after assemble an outer bracket is added
+# to the Regexp::Assemble output:
+#   (?:ASSEMBLE_OUTPUT)
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d])" \
+    "id:942490,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:urlDecodeUni,\
+    msg:'Detects classic SQL injection probings 3/3',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-sqli',\
+    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
+    tag:'WASCTC/WASC-19',\
+    tag:'OWASP_TOP_10/A1',\
+    tag:'OWASP_AppSensor/CIE1',\
+    tag:'PCI/6.5.2',\
+    tag:'paranoia-level/3',\
+    rev:2,\
+    ver:'OWASP_CRS/3.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.msg=%{rule.msg}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
 #
 # [ SQL Injection Character Anomaly Usage ]
 #

util/regexp-assemble/regexp-942370.data

@@ -12,7 +12,6 @@
 ^[\w\s\"'`-]+(?<=and\s)(?<=like)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\(
 ^[\w\s\"'`-]+(?<=and\s)(?<=between)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\(
 ^[\w\s\"'`-]+(?<=and\s)(?<=and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\(
-[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d]
 [\"'`]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`]
 [\"'`]\s*?[^\w\s]+\s*?[\W\d].*?#
 [\"'`]\s*?[^\w\s]+\s*?[\W\d].*?--

util/regexp-assemble/regexp-942490.data

@@ -0,0 +1 @@
+[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d]