Rule 981245 triggers false positives on certain "complex" cookie values about coreruleset HOT 4 CLOSED

User rcbarnett-zz commented on date 2013-07-01 17:01:53:

These filters were converted from PHPIDS SQLi filters. Will need to look into these deeper. I have a feeling many of these will be deprecated with the inclusion of libinjection code in the @detectSQLi operator.

from coreruleset.

User rcbarnett-zz commented on date 2014-03-31 19:02:05:

In the new CRS v3.0.0 - we are removing REQUEST_COOKIES variables from inspect for the converted PHPIDS signatures due to higher FP rates.

from coreruleset.

User OrySegal commented on date 2014-03-31 20:14:13:

Good choice:-)

On Mon, Mar 31, 2014 at 10:02 PM, Ryan Barnett notificationsgithub.comwrote:

In the new CRS v3.0.0 - we are removing REQUEST_COOKIES variables from
inspect for the converted PHPIDS signatures due to higher FP rates.

Reply to this email directly or view it on GitHubhttps://github.com/SpiderLabs/owasp-modsecurity-crs/issues/35#issuecomment-39127672
.

from coreruleset.

User dune73 commented on date 2016-11-19 04:21:38:

With the renumbering taking place, 981245 is now 942260.

In the end, rcbarnett's idea was not put into practice. But the rule has been moved to Paranoia Level 2 and is thus no longer part of the default installation. At PL2, we expect people to be able to handle casual false positives.

If the regex is still a widspread problem, we need to investigate further, but for now, I am closing this.

from coreruleset.