Skip to content
This repository was archived by the owner on May 14, 2020. It is now read-only.

Commit 4207ae0

Browse files
authored
Merge pull request #985 from emphazer/v3_942370_3.1/dev
Classic SQL injection probing rule split of rule 942370 (-> new rule 942490)
2 parents bf1cffe + 7098fd4 commit 4207ae0

File tree

3 files changed

+48
-4
lines changed

3 files changed

+48
-4
lines changed

rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf

Lines changed: 47 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -851,6 +851,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
851851
setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
852852
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
853853

854+
#
855+
# -=[ SQL Injection Probings ]=-
856+
#
857+
# This is a group of three similar rules aiming to detect SQL injection probings.
858+
#
859+
# 942330 PL 2
860+
# 942370 PL 2
861+
# 942490 PL 3
854862
# Regexp generated from util/regexp-assemble/regexp-942330.data using Regexp::Assemble.
855863
# To rebuild the regexp:
856864
# cd util/regexp-assemble
@@ -865,7 +873,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
865873
block,\
866874
capture,\
867875
t:none,t:urlDecodeUni,\
868-
msg:'Detects classic SQL injection probings 1/2',\
876+
msg:'Detects classic SQL injection probings 1/3',\
869877
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
870878
tag:'application-multi',\
871879
tag:'language-multi',\
@@ -921,6 +929,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
921929
setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
922930
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
923931

932+
# This rule is a sibling of 942330. See that rule for a description and overview.
924933
# Regexp generated from util/regexp-assemble/regexp-942370.data using Regexp::Assemble.
925934
# To rebuild the regexp:
926935
# cd util/regexp-assemble
@@ -929,13 +938,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
929938
# to the Regexp::Assemble output:
930939
# (?i:ASSEMBLE_OUTPUT)
931940
#
932-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:\s*?(?:(?:\*.+(?:(?:an|i)d|between|like|x?or|div)\W*?[\"'`]|(?:between|like|x?or|and|div)\s[^\d]+[\w-]+.*?)\d|[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`]|[^\w\s]+\s*?[\W\d].*?(?:--|#))|[\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d]|.*?\*\s*?\d)|^[\w\s\"'`-]+(?<=and\s)(?:(?<=between)|(?<=and\s)|(?<=like)|(?<=div)|(?<=xor)|(?<=or))(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\(|[()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,]|\^[\"'`]))" \
941+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:\s*?(?:(?:\*.+(?:(?:an|i)d|between|like|x?or|div)\W*?[\"'`]|(?:between|like|x?or|and|div)\s[^\d]+[\w-]+.*?)\d|[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`]|[^\w\s]+\s*?[\W\d].*?(?:--|#))|.*?\*\s*?\d)|^[\w\s\"'`-]+(?<=and\s)(?:(?<=between)|(?<=and\s)|(?<=like)|(?<=div)|(?<=xor)|(?<=or))(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\(|[()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,]|\^[\"'`]))" \
933942
"id:942370,\
934943
phase:2,\
935944
block,\
936945
capture,\
937946
t:none,t:urlDecodeUni,\
938-
msg:'Detects classic SQL injection probings 2/2',\
947+
msg:'Detects classic SQL injection probings 2/3',\
939948
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
940949
tag:'application-multi',\
941950
tag:'language-multi',\
@@ -1336,6 +1345,41 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
13361345
setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
13371346
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
13381347

1348+
# This rule is a stricter sibling of 942330. See that rule for a description and overview.
1349+
# Regexp generated from util/regexp-assemble/regexp-942490.data using Regexp::Assemble.
1350+
# To rebuild the regexp:
1351+
# cd util/regexp-assemble
1352+
# ./regexp-assemble.pl regexp-942490.data
1353+
# Note that after assemble an outer bracket is added
1354+
# to the Regexp::Assemble output:
1355+
# (?:ASSEMBLE_OUTPUT)
1356+
#
1357+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d])" \
1358+
"id:942490,\
1359+
phase:2,\
1360+
block,\
1361+
capture,\
1362+
t:none,t:urlDecodeUni,\
1363+
msg:'Detects classic SQL injection probings 3/3',\
1364+
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
1365+
tag:'application-multi',\
1366+
tag:'language-multi',\
1367+
tag:'platform-multi',\
1368+
tag:'attack-sqli',\
1369+
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
1370+
tag:'WASCTC/WASC-19',\
1371+
tag:'OWASP_TOP_10/A1',\
1372+
tag:'OWASP_AppSensor/CIE1',\
1373+
tag:'PCI/6.5.2',\
1374+
tag:'paranoia-level/3',\
1375+
rev:2,\
1376+
ver:'OWASP_CRS/3.0.0',\
1377+
severity:'CRITICAL',\
1378+
setvar:'tx.msg=%{rule.msg}',\
1379+
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
1380+
setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
1381+
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
1382+
13391383
#
13401384
# [ SQL Injection Character Anomaly Usage ]
13411385
#

util/regexp-assemble/regexp-942370.data

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,6 @@
1212
^[\w\s\"'`-]+(?<=and\s)(?<=like)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\(
1313
^[\w\s\"'`-]+(?<=and\s)(?<=between)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\(
1414
^[\w\s\"'`-]+(?<=and\s)(?<=and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\(
15-
[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d]
1615
[\"'`]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`]
1716
[\"'`]\s*?[^\w\s]+\s*?[\W\d].*?#
1817
[\"'`]\s*?[^\w\s]+\s*?[\W\d].*?--
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d]

0 commit comments

Comments
 (0)