RSA Admin

Regex format in SQL_Injection watchlist?

Discussion created by RSA Admin Employee on Feb 29, 2012

I'm trying to use CRL-00211 on our Apache logs with the SQL_Injection watchlist provided in the latest  The alert won't fire and I'm wondering about the format of the watchlist entries. The Help says enVision uses POSIX regex.




Isn't the use of the "\" going to turn the one-or-more operator "+" into a literal character?  It seems like the "\+*" should be ".+" for all uses.


It also seems superfluous to ".*" on either side of the expression. If nothing else this might impact performance.


Has anyone created a better list of regex?  I realize enVision isn't the best place to be detecting SQL injection, but it's a start.