From c352c1e11a7a4203bbb7994942dcef0406f3bba6 Mon Sep 17 00:00:00 2001 From: Rufus Date: Sun, 24 Feb 2019 17:31:01 +0100 Subject: [PATCH] Update making.rst Correct apostrophe --- making.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/making.rst b/making.rst index a406912..98c6c42 100755 --- a/making.rst +++ b/making.rst @@ -146,10 +146,10 @@ Most OPERATORS are self explanatory. Many operators such as the string manipulat * Usage of wildcards should be reasonable. \r\n characters can often be bypassed by either substitution, or by using newline alternative \v, \f and others. Wildcard \b has different meanings while using wildcard in square brackets (has meaning “backspace”) and in plain regex (has meaning “word boundary”), as classified in RegexLib article [42]. * Regexp should be applied to right scope of inputs: Cookies names and values, Argument names and values, Header names and values, Files argument names and content. * Regular expression writers should be careful while using only whitespace character (%20) for separating tag attributes. Rule can be bypassed with newline character: i.e. %0d,%0a. -* Greediness of regular expressions should be considered. Highlight of this topic is well done in Chapter 9 of Jan Goyvaert’s tutorial [27]. While greediness itself does not create bypasses, bad implementation of regexp Greediness can raise False Positive rate. This can cause excessive log-file flooding, forcing vulnerable rule or even whole WAF to be switched off. +* Greediness of regular expressions should be considered. Highlight of this topic is well done in Chapter 9 of Jan Goyvaert's tutorial [27]. While greediness itself does not create bypasses, bad implementation of regexp Greediness can raise False Positive rate. This can cause excessive log-file flooding, forcing vulnerable rule or even whole WAF to be switched off. Rules for CRS ============= All rules for CRS should include at least one regression test. To increase the chances of having your pull request accepted into the mainline more regression tests are recommended. -If your rule contains combination of data sources into a single regular expression for performance reasons you should document the use of the regexp-assemble command in the comments above your command. You should also include your independent sources within this util directory. Doing so increases overall maintainability. \ No newline at end of file +If your rule contains combination of data sources into a single regular expression for performance reasons you should document the use of the regexp-assemble command in the comments above your command. You should also include your independent sources within this util directory. Doing so increases overall maintainability.