Max Leske

`msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination'` `space` is a function in MysQL, apparently. The SLQi rules are a mess and we're in the process of cleaning them up. It...

@alex-scratch from what you describe it sounds like cookies could be at fault. Looking at the rule, you will see that it checks a bunch of fields, including cookies and...

Thanks for the update @alex-scratch. Could you possibly share (redacted) data from those cookies that trigger the rule? We can use it to write a test case.

That's great @alex-scratch! Thanks for the help.

Yes, that is correct. JSON in Cookies is really a nightmare. There's nothing we can do on our side, at least not short-term. You will have to tune those rules....

I think there is a misconception here w.r.t. how DOS blocking works (admittedly, it's not intuitive). `TX:DOS_BURST_TIME_SLICE` is only relevant for paranoia level 1, because it is applied to `IP:DOS_BURST_COUNTER`,...

I think option 2 is semantically correct. It is not the burst that becomes invalid after a certain time. We actually want some way to define what we consider a...

@dune73 I've created a proof of concept PR https://github.com/coreruleset/dos-protection-plugin-modsecurity-v2/pull/3.

@dune73 @karelorigin regexp-assemble currently has two modes of evasion prevention, one for Windows and one for Unix shells. I'm not sure whether that is exactly what you want (documented here:...

@karelorigin any updates on this issue?