FP 932260: Name of "Axel"

[ssigwart]

Description

This is very similar to #3490, but with a fill name field. For example, "Axel Smith" gets blocked.

How to reproduce the misbehavior (-> curl call)

curl -i -H "x-format-output: txt-matched-rules" 'https://sandbox.coreruleset.org?name=axel+smith'

Date: Wed, 03 Apr 2024 15:41:16 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
X-Unique-ID: Zg14nKzdFlh2Fu_y9nB4ewAAAIg
x-backend: apache-nightly

932260 PL1 Remote Command Execution: Direct Unix Command Execution
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)

[franbuehler]

The regex of the rule 932260 is assembled from the source with include-except unix-shell-4andup unix-shell-fps-pl1. This means we already have to possiblity to exclude false positives with this file at PL1 unix-shell-fps-pl1.

I'm not entirely sure if the intention is for this file unix-shell-fps-pl1 to be created automatically or whether commands can be added manually later.

[dune73]

I'd say we add axel to said file.

@theseion : Do you agree?

[franbuehler]

Thank you! I'll provide a PR, if Max agrees.

[theseion]

I agree. I think it's safe enough to exclude at PL1. The exclusions need to be added to the list manually.

[franbuehler]

Ok, I'll open a PR. Thank you both!