Fix rule 45 regex logic/compile error

felixbuenemann · felixbuenemann · commit fbed0387bae7 · 2013-03-26T20:08:26.000+01:00
The rule tries to capture `(all|distinc|[(]*)?` which is not possible, because you cannot match at least one occurence of a zero or more match. Simpliefied invalid vs. valid example: `([(]*)?` vs. `([(]*)` This fixes issue PHPIDS#18.
diff --git a/lib/IDS/default_filter.json b/lib/IDS/default_filter.json
@@ -555,7 +555,7 @@
       },
       {
         "id":"45",
-        "rule":"(?:union\\s*(?:all|distinct|[(!@]*)?\\s*[([]*\\s*select)|(?:\\w+\\s+like\\s+\\\")|(?:like\\s*\"\\%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:\"\\s*[^?\\w\\s=.,;)(]+\\s*[(@\"]*\\s*\\w+\\W+\\w)|(?:select\\s*[\\[\\]()\\s\\w\\.,\"-]+from)|(?:find_in_set\\s*\\()",
+        "rule":"(?:union\\s*(?:all|distinct|[(!@]*)\\s*[([]*\\s*select)|(?:\\w+\\s+like\\s+\\\")|(?:like\\s*\"\\%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:\"\\s*[^?\\w\\s=.,;)(]+\\s*[(@\"]*\\s*\\w+\\W+\\w)|(?:select\\s*[\\[\\]()\\s\\w\\.,\"-]+from)|(?:find_in_set\\s*\\()",
         "description":"Detects basic SQL authentication bypass attempts 2\/3",
         "tags":{
           "tag":[
diff --git a/lib/IDS/default_filter.xml b/lib/IDS/default_filter.xml
@@ -469,7 +469,7 @@
     </filter>
     <filter>
         <id>45</id>
-        <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,"-]+from)|(?:find_in_set\s*\()]]></rule>
+        <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,"-]+from)|(?:find_in_set\s*\()]]></rule>
         <description>Detects basic SQL authentication bypass attempts 2/3</description>
         <tags>
             <tag>sqli</tag>

Original file line number	Diff line number	Diff line change
`@@ -555,7 +555,7 @@`
`555`	`555`	`},`
`556`	`556`	`{`
`557`	`557`	`"id":"45",`
`558`		`- "rule":"(?:union\\s(?:all\|distinct\|[(!@])?\\s[([]\\sselect)\|(?:\\w+\\s+like\\s+\\\")\|(?:like\\s\"\\%)\|(?:\"\\slike\\W[\"\\d])\|(?:\"\\s(?:n?and\|x?or\|not \|\\\|\\\|\|\\&\\&)\\s+[\\s\\w]+=\\s\\w+\\shaving)\|(?:\"\\s\\\\s\\w+\\W+\")\|(?:\"\\s[^?\\w\\s=.,;)(]+\\s[(@\"]\\s\\w+\\W+\\w)\|(?:select\\s[\\[\\]()\\s\\w\\.,\"-]+from)\|(?:find_in_set\\s\\()",`
	`558`	`+ "rule":"(?:union\\s(?:all\|distinct\|[(!@])\\s[([]\\sselect)\|(?:\\w+\\s+like\\s+\\\")\|(?:like\\s\"\\%)\|(?:\"\\slike\\W[\"\\d])\|(?:\"\\s(?:n?and\|x?or\|not \|\\\|\\\|\|\\&\\&)\\s+[\\s\\w]+=\\s\\w+\\shaving)\|(?:\"\\s\\\\s\\w+\\W+\")\|(?:\"\\s[^?\\w\\s=.,;)(]+\\s[(@\"]\\s\\w+\\W+\\w)\|(?:select\\s[\\[\\]()\\s\\w\\.,\"-]+from)\|(?:find_in_set\\s\\()",`
`559`	`559`	`"description":"Detects basic SQL authentication bypass attempts 2\/3",`
`560`	`560`	`"tags":{`
`561`	`561`	`"tag":[`