quantitative: Rule 921170 always flags in error (PL 3 rule) #393

RedXanadu · 2024-11-06T11:11:05Z

Rule 921170 is not a detection rule: it is an admin/scaffold rule designed to make the HTTP parameter pollution rules.

SecRule ARGS_NAMES "@rx ." \
    "id:921170,\
    phase:2,\
    ⋮
    setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"

$ ./ftw quantitative --crs-path ~/.git/coreruleset --corpus-lang=eng --corpus-source=news --corpus-year=2020 --corpus-size=10K --paranoia-level=4
11:09AM INF ⏳Running quantitative tests with 10 goroutines
Run 10000 payloads in 9.657304833s
Total False positive ratio: 26481/10000 = 2.6481
False positives per rule id:
  920220: 130 false positives
  920221: 130 false positives
  920272: 3299 false positives
  920273: 10000 false positives
  921170: 10000 false positives
  ⋮

The text was updated successfully, but these errors were encountered:

RedXanadu · 2024-11-06T11:11:42Z

It looks like go-ftw also cannot correctly handle rule 920273 (from the results above).

M4tteoP changed the title ~~Rule 921170 always flags in error (PL 3 rule)~~ quantitative: Rule 921170 always flags in error (PL 3 rule) Nov 18, 2024

fzipi mentioned this issue Nov 26, 2024

fix: remove scaffolding rule 921170 from quantitative #407

Merged

theseion closed this as completed in #407 Nov 27, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

quantitative: Rule 921170 always flags in error (PL 3 rule) #393

quantitative: Rule 921170 always flags in error (PL 3 rule) #393

RedXanadu commented Nov 6, 2024

RedXanadu commented Nov 6, 2024

quantitative: Rule 921170 always flags in error (PL 3 rule) #393

quantitative: Rule 921170 always flags in error (PL 3 rule) #393

Comments

RedXanadu commented Nov 6, 2024

RedXanadu commented Nov 6, 2024