I'm trying to use CRL-00211 on our Apache logs with the SQL_Injection watchlist provided in the latest watchlist_sample.zip. The alert won't fire and I'm wondering about the format of the watchlist entries. The Help says enVision uses POSIX regex.
Isn't the use of the "\" going to turn the one-or-more operator "+" into a literal character? It seems like the "\+*" should be ".+" for all uses.
It also seems superfluous to ".*" on either side of the expression. If nothing else this might impact performance.
Has anyone created a better list of regex? I realize enVision isn't the best place to be detecting SQL injection, but it's a start.