@@ -851,6 +851,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
851
851
setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
852
852
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
853
853
854
+ #
855
+ # -=[ SQL Injection Probings ]=-
856
+ #
857
+ # This is a group of three similar rules aiming to detect SQL injection probings.
858
+ #
859
+ # 942330 PL 2
860
+ # 942370 PL 2
861
+ # 942490 PL 3
854
862
# Regexp generated from util/regexp-assemble/regexp-942330.data using Regexp::Assemble.
855
863
# To rebuild the regexp:
856
864
# cd util/regexp-assemble
@@ -865,7 +873,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
865
873
block,\
866
874
capture,\
867
875
t:none,t:urlDecodeUni,\
868
- msg:'Detects classic SQL injection probings 1/2 ',\
876
+ msg:'Detects classic SQL injection probings 1/3 ',\
869
877
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
870
878
tag:'application-multi',\
871
879
tag:'language-multi',\
@@ -921,6 +929,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
921
929
setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
922
930
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
923
931
932
+ # This rule is a sibling of 942330. See that rule for a description and overview.
924
933
# Regexp generated from util/regexp-assemble/regexp-942370.data using Regexp::Assemble.
925
934
# To rebuild the regexp:
926
935
# cd util/regexp-assemble
@@ -929,13 +938,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
929
938
# to the Regexp::Assemble output:
930
939
# (?i:ASSEMBLE_OUTPUT)
931
940
#
932
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:\s*?(?:(?:\*.+(?:(?:an|i)d|between|like|x?or|div)\W*?[\"'`]|(?:between|like|x?or|and|div)\s[^\d]+[\w-]+.*?)\d|[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`]|[^\w\s]+\s*?[\W\d].*?(?:--|#))|[\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d]| .*?\*\s*?\d)|^[\w\s\"'`-]+(?<=and\s)(?:(?<=between)|(?<=and\s)|(?<=like)|(?<=div)|(?<=xor)|(?<=or))(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\(|[()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,]|\^[\"'`]))" \
941
+ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:\s*?(?:(?:\*.+(?:(?:an|i)d|between|like|x?or|div)\W*?[\"'`]|(?:between|like|x?or|and|div)\s[^\d]+[\w-]+.*?)\d|[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`]|[^\w\s]+\s*?[\W\d].*?(?:--|#))|.*?\*\s*?\d)|^[\w\s\"'`-]+(?<=and\s)(?:(?<=between)|(?<=and\s)|(?<=like)|(?<=div)|(?<=xor)|(?<=or))(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\(|[()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,]|\^[\"'`]))" \
933
942
"id:942370,\
934
943
phase:2,\
935
944
block,\
936
945
capture,\
937
946
t:none,t:urlDecodeUni,\
938
- msg:'Detects classic SQL injection probings 2/2 ',\
947
+ msg:'Detects classic SQL injection probings 2/3 ',\
939
948
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
940
949
tag:'application-multi',\
941
950
tag:'language-multi',\
@@ -1336,6 +1345,41 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
1336
1345
setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
1337
1346
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
1338
1347
1348
+ # This rule is a stricter sibling of 942330. See that rule for a description and overview.
1349
+ # Regexp generated from util/regexp-assemble/regexp-942490.data using Regexp::Assemble.
1350
+ # To rebuild the regexp:
1351
+ # cd util/regexp-assemble
1352
+ # ./regexp-assemble.pl regexp-942490.data
1353
+ # Note that after assemble an outer bracket is added
1354
+ # to the Regexp::Assemble output:
1355
+ # (?:ASSEMBLE_OUTPUT)
1356
+ #
1357
+ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d])" \
1358
+ "id:942490,\
1359
+ phase:2,\
1360
+ block,\
1361
+ capture,\
1362
+ t:none,t:urlDecodeUni,\
1363
+ msg:'Detects classic SQL injection probings 3/3',\
1364
+ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
1365
+ tag:'application-multi',\
1366
+ tag:'language-multi',\
1367
+ tag:'platform-multi',\
1368
+ tag:'attack-sqli',\
1369
+ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
1370
+ tag:'WASCTC/WASC-19',\
1371
+ tag:'OWASP_TOP_10/A1',\
1372
+ tag:'OWASP_AppSensor/CIE1',\
1373
+ tag:'PCI/6.5.2',\
1374
+ tag:'paranoia-level/3',\
1375
+ rev:2,\
1376
+ ver:'OWASP_CRS/3.0.0',\
1377
+ severity:'CRITICAL',\
1378
+ setvar:'tx.msg=%{rule.msg}',\
1379
+ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
1380
+ setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
1381
+ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
1382
+
1339
1383
#
1340
1384
# [ SQL Injection Character Anomaly Usage ]
1341
1385
#
0 commit comments