Apache-2.2

Modsecurity REGEX 有沒有效果?

  • November 22, 2016
[25/Oct/2016:09:35:16 +0200] [demo.localhost.me/sid#555555a697d8][rid#5555572958d8][/XXXXX.php][2]
Warning. Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){5,}" 
at ARGS_NAMES:MtCons-NSOPE3-MtCons12-HJIBE-2808-J103048-2016. [file "/XXXXX/apc22/virtual
/XXXX/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] 
[data "Matched Data: - found within ARGS_NAMES:MtCons-NSOPE3-MtCons12-HJIBE-2808-J103048-2016: MtCons-NSOPE3-MtCons12-HJIBE-2808-J103048-2016"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]

你好,

我正在嘗試用正則表達式刪除這個假陽性,但這似乎是不可能的?

我熟悉 ModSecurity 白名單,但這個“ARGS_NAMES”的正則表達式似乎不起作用。

我試過了:

SecRuleUpdateTargetById 981173 "!ARGS_NAMES:/MtCons.*/"

SecRuleUpdateTargetById 981173 "!ARGS_NAMES:/MtCons.*/gm"

謝謝你的幫助

正確的語法是:

SecRuleUpdateTargetById 981173 "!ARGS_NAMES:/MtCons.*/"

引用自:https://serverfault.com/questions/813739