Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Rule 951260
See original GitHub issueDescription
Rule ID 951260 is doing lots of false positives, it is quite easy to trigger it. It has two conditions:
SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \
So, if response contains anything from file sql-errors.data AND contains at least one phrase which match these regexpes:
Sybase message:
Warning.*sybase.*
Sybase.*Server message.*
If you look into sql-errors.data, for example these phrases are found:
sybase
Warning
Sybase message
Sybase message:
Server message
So, in lots of cases, the rule acts as if it has only one of the conditions above. I believe one of these should be done:
- remove rule 951260
- remove phrases above from
sql-errors.data(maybe some more)
Your Environment
- CRS version (e.g., v3.2.0): 3.3.0
- Paranoia level setting: PL1
- ModSecurity version (e.g., 2.9.3): 2.9.3
- Web Server and version (e.g., apache 2.4.41): 2.4
- Operating System and version: Debian Buster
Confirmation
[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
Issue Analytics
- State:
- Created 3 years ago
- Comments:15 (14 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
It would be awesome if you could do it @azurit , as said I am still swamped and cannot be as active as I would like.
@azurit Thanks, forgot about this one. I will make time for it in the weekend.