OWASP ModSec CRS Paranoia Mode Sibling 981173

This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.

981173 : SQL Injection Character Anomaly Usage
# # -=[ SQL Injection Character Anomaly Usage ]=- # # This is a paranoid sibling to 2.2.x Rule 981173. # The regex limit is set to '1' and the anomaly scoring is increased to 'critical'. # For dealing with false positives, UUID format is whitelisted with a chained rule. # SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\        "chain,\ phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'X',\ accuracy:'Y',\ t:none,t:urlDecodeUni,\ block,\ msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\ id:'XXXXXX',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'Paranoia rule on level Z',\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"       SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\                "t:lowercase,\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.sql_injection_score=+1"