OWASP ModSec CRS Paranoia Mode Sibling 981173

981173 : SQL Injection Character Anomaly Usage
Original ID (2.2.X): 981173 Change: Regex counter decreased to '1', anomaly score set to 'critical', paranoia tag added FP Filter: UUIDs

# # -=[ SQL Injection Character Anomaly Usage ]=- # # This is a paranoid sibling to 2.2.9 Rule 981173. # The regex limit is set to {1,}, adjust to your own needs. # For dealing with false positives caused by uuids, the rule is now chained. # Also the anomaly score is now set to critical. # SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\        "chain,\ phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'X',\ accuracy:'Y',\ t:none,t:urlDecodeUni,\ block,\ msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\ id:'XXXXXX',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'Paranoia rule on level 40',\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"       SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\                "t:lowercase,\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.sql_injection_score=+1"