changed regexp-942360.data to circumvent regexp-assemble bug and optimized rule 942360

franbuehler · franbuehler · commit 24ecc3170e90 · 2017-10-24T15:45:33.000Z
diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -451,7 +451,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
     setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
 
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\d\W]\s+as\s*?[\"'`\w]+\s*?from)|(?:^[\W\d]+\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc)\b)|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*?\);)|([\"'`]\s+regexp\W)|(?:[\s(]load_file\s*?\())" \
+# Regexp generated from util/regexp-assemble/regexp-942360.data using Regexp::Assemble.
+# To rebuild the regexp:
+#   cd util/regexp-assemble
+#   ./regexp-assemble.pl regexp-942360.data
+# Note that after assemble an outer bracket with an ignore case flag is added
+# to the Regexp::Assemble output:
+#   (?i:ASSEMBLE_OUTPUT)
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\s+(?:group_concat|load_file|char)\s?\(?|^[\W\d]+\s*?(?:(?:(?:trunc|cre)at|renam)e|(?:inser|selec)t|u(?:pdate|nion)|de(?:lete|sc)|alter|load)\b|[\d\W]\s+as\s*?[\"'`\w]+\s*?from|[\s(]load_file\s*?\(|[\"'`]\s+regexp\W|end\s*?\);))" \
     "phase:2,\
     rev:'2',\
     ver:'OWASP_CRS/3.0.0',\
diff --git a/util/regexp-assemble/regexp-942360.data b/util/regexp-assemble/regexp-942360.data
@@ -1,33 +1,33 @@
-alter\s+char\s?\(?
-alter\s+group_concat\s?\(?
-alter\s+load_file\s?\(?
-create\s+char\s?\(?
-create\s+group_concat\s?\(?
-create\s+load_file\s?\(?
-delete\s+char\s?\(?
-delete\s+group_concat\s?\(?
-delete\s+load_file\s?\(?
-desc\s+char\s?\(?
-desc\s+group_concat\s?\(?
-desc\s+load_file\s?\(?
-insert\s+char\s?\(?
-insert\s+group_concat\s?\(?
-insert\s+load_file\s?\(?
-load\s+char\s?\(?
-load\s+group_concat\s?\(?
-load\s+load_file\s?\(?
-rename\s+char\s?\(?
-rename\s+group_concat\s?\(?
-rename\s+load_file\s?\(?
-select\s+char\s?\(?
-select\s+group_concat\s?\(?
-select\s+load_file\s?\(?
-truncate\s+char\s?\(?
-truncate\s+group_concat\s?\(?
-truncate\s+load_file\s?\(?
-update\s+char\s?\(?
-update\s+group_concat\s?\(?
-update\s+load_file\s?\(?
+alter\s+char\s?[(]?
+alter\s+group_concat\s?[(]?
+alter\s+load_file\s?[(]?
+create\s+char\s?[(]?
+create\s+group_concat\s?[(]?
+create\s+load_file\s?[(]?
+delete\s+char\s?[(]?
+delete\s+group_concat\s?[(]?
+delete\s+load_file\s?[(]?
+desc\s+char\s?[(]?
+desc\s+group_concat\s?[(]?
+desc\s+load_file\s?[(]?
+insert\s+char\s?[(]?
+insert\s+group_concat\s?[(]?
+insert\s+load_file\s?[(]?
+load\s+char\s?[(]?
+load\s+group_concat\s?[(]?
+load\s+load_file\s?[(]?
+rename\s+char\s?[(]?
+rename\s+group_concat\s?[(]?
+rename\s+load_file\s?[(]?
+select\s+char\s?[(]?
+select\s+group_concat\s?[(]?
+select\s+load_file\s?[(]?
+truncate\s+char\s?[(]?
+truncate\s+group_concat\s?[(]?
+truncate\s+load_file\s?[(]?
+update\s+char\s?[(]?
+update\s+group_concat\s?[(]?
+update\s+load_file\s?[(]?
 end\s*?\);
 [\s(]load_file\s*?\(
 [\"'`]\s+regexp\W
