Rule 942230: False positive #1607
Comments
|
Also experiencing this same issue -- catching "having pain." and "having tooth #30". This is way overly aggressive regex. |
|
Sorry for the inconvenience, guys. This is annoying. And the examples you give clearly underline the fact, this is overly aggressive. @dentaldeveloper : Are you able to write a rule exclusion as a workaround? One problem with 942230 is that we only have 1 official unit test for this rule. So it is possible that we add a However, I have over 500 attacking payloads that this rule detects. And many of them could be made into FTW tests. Then we could change the rule and use these checks to see the payloads are still detected. Is one of you guys interested in doing that? I could provide you with the payloads via direct message. |
|
Thanks for the quick response. I will probably write a workaround for this until it can be fixed. Unfortunately, I'm not familiar with the WFT framework for testing -- so I won't be able to help at this time. |
franbuehler
added
the
PR available
Type of Issue
False positive
Description
I think this rule has a similar issue to #1580 and will very aggressively match weird patterns like
behavingbadly/.I suspect the simplest fix would be to add
\bright and left.Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: