Custom charsets in the rules 920600 and 922110

105 views
Skip to first unread message

mahh m

unread,
Jan 21, 2024, 1:04:10 AMJan 21
to modsecurity-core...@owasp.org
Hi,
I need to make the regexp of the rules 920600 and 922110 (chain) custom. As I understood, the regexp is created based on four files in CRS4: 920600.ra/922110-chain1.ra, allowed-charsets.ra, charset-specification.ra and charset-specification-no-anchors.ra. So,
 What are these files? 
How should I use them to have my custom regexp to cover my intended charsets? 
What about CRS 3? Can I make this regexp dynamic in that version? (in CRS 3.3.X there is only 920600.data/922110-chain1.data and allowed-charsets.data)
What if I change the place of these rules and place them in a file (cut them from the original ruleset file)?

Franziska Buehler

unread,
Jan 21, 2024, 4:53:15 AMJan 21
to mahh m, modsecurity-core...@owasp.org
Hi!

Thanks for asking and sorry for your inconvenience.

Unfortunately, I can't see from your question what problem you're trying to solve or what false positives you have.
It's possible that your problem will be solved with the latest version CRS v4.0 as both rules 920600 and 922110 have been changed to avoid false positives.
A lot has changed between 3.x and 4.0 when generating the regular expressions from the .ra (source) files and I would rather avoid tinkering with it.
So if your problem was solved with 4.0 it would be much easier.
Could you please test it with dev version 4.0 (https://github.com/coreruleset/coreruleset/tree/v4.0/dev/rules), at least the two rules?
Otherwise it would be very helpful for the CRS project if you opened a false positive report with all the important information to help you:

Please fill out the template and provide the following information if possible:
* Full alert (ideally send us the full audit log of the request)
* Web server and version or platform you are using
* ModSecurity version
* CRS version

Best,
CRS Dev on Duty


--
You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/CAB8YvALsbhS3c8xpf4%3D0YPg9KSwt4e3xDidmFAqAK85z8V034g%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages