optimize regexp-942340.data and rule 942340

Author: franbuehler

rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf

@@ -881,7 +881,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
     setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
 
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:in\s*?\(+\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s+[\s\w+]+(?:regexp\s*?\(|sounds\s+like\s*?[\"'`]|[=\d]+x))|([\"'`]\s*?\d\s*?(?:--|#))|(?:[\"'`][\%&<>^=]+\d\s*?(=|x?or|div|like|between|and))|(?:[\"'`]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`])|(?:[\"'`]\s*?is\s*?\d.+[\"'`]?\w)|(?:[\"'`]\|?[\w-]{3,}[^\w\s.,]+[\"'`])|(?:[\"'`]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`]))" \
+# Regexp generated from util/regexp-assemble/regexp-942340.data using Regexp::Assemble.
+# To rebuild the regexp:
+#   cd util/regexp-assemble
+#   ./regexp-assemble.pl regexp-942340.data
+#   Note that part of regexp-942340.data is already optimized, to avoid a 
+#   Regexp::Assemble behaviour, where the regex is not optimized very nicely.
+# Note that after assemble an outer bracket with an ignore case flag is added
+# to the Regexp::Assemble output:
+#   (?i:ASSEMBLE_OUTPUT)
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:\s*?(?:is\s*?(?:[\d.]+\s*?\W.*?[\"'`]|\d.+[\"'`]?\w)|\d\s*?(?:--|#))|(?:\W+[\w+-]+\s*?=\s*?\d\W+|\|?[\w-]{3,}[^\w\s.,]+)[\"'`]|[\%&<>^=]+\d\s*?(?:between|like|x?or|and|div|=))|(?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+(?:sounds\s+like\s*?[\"'`]|regexp\s*?\(|[=\d]+x)|in\s*?\(+\s*?select))" \
     "phase:2,\
     rev:'2',\
     ver:'OWASP_CRS/3.0.0',\

util/regexp-assemble/regexp-942340.data

@@ -1,37 +1,7 @@
 in\s*?[(]+\s*?select
-and\s+[\s\w+]+regexp\s*?\(
-nand\s+[\s\w+]+regexp\s*?\(
-or\s+[\s\w+]+regexp\s*?\(
-xor\s+[\s\w+]+regexp\s*?\(
-xxor\s+[\s\w+]+regexp\s*?\(
-div\s+[\s\w+]+regexp\s*?\(
-like\s+[\s\w+]+regexp\s*?\(
-between\s+[\s\w+]+regexp\s*?\(
-not\s+[\s\w+]+regexp\s*?\(
-\|\|\s+[\s\w+]+regexp\s*?\(
-\&\&\s+[\s\w+]+regexp\s*?\(
-and\s+[\s\w+]+sounds\s+like\s*?[\"'`]
-nand\s+[\s\w+]+sounds\s+like\s*?[\"'`]
-or\s+[\s\w+]+sounds\s+like\s*?[\"'`]
-xor\s+[\s\w+]+sounds\s+like\s*?[\"'`]
-xxor\s+[\s\w+]+sounds\s+like\s*?[\"'`]
-div\s+[\s\w+]+sounds\s+like\s*?[\"'`]
-like\s+[\s\w+]+sounds\s+like\s*?[\"'`]
-between\s+[\s\w+]+sounds\s+like\s*?[\"'`]
-not\s+[\s\w+]+sounds\s+like\s*?[\"'`]
-\|\|\s+[\s\w+]+sounds\s+like\s*?[\"'`]
-\&\&\s+[\s\w+]+sounds\s+like\s*?[\"'`]
-and\s+[\s\w+]+[=\d]+x
-nand\s+[\s\w+]+[=\d]+x
-or\s+[\s\w+]+[=\d]+x
-xor\s+[\s\w+]+[=\d]+x
-xxor\s+[\s\w+]+[=\d]+x
-div\s+[\s\w+]+[=\d]+x
-like\s+[\s\w+]+[=\d]+x
-between\s+[\s\w+]+[=\d]+x
-not\s+[\s\w+]+[=\d]+x
-\|\|\s+[\s\w+]+[=\d]+x
-\&\&\s+[\s\w+]+[=\d]+x
+(?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+regexp\s*?\(
+(?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+sounds\s+like\s*?[\"'`]
+(?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+[=\d]+x
 [\"'`]\s*?\d\s*?--
 [\"'`]\s*?\d\s*?#
 [\"'`][\%&<>^=]+\d\s*?=