coreruleset · fzipi · Jan 27, 2026 · Nov 13, 2025 · Nov 13, 2025 · Nov 13, 2025
diff --git a/regex-assembly/942410.ra b/regex-assembly/942410.ra
@@ -1,246 +1,77 @@
 ##! Please refer to the documentation at
 ##! https://coreruleset.org/docs/development/regex_assembly/.
 
+##! This dataset in an extended version of regex-assembly/include/sql-injection-function-names.ra
+##! It contains sequences with a high risk of false positives including regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra
+
 ##!+ i
 ##!^ \b
 ##!$ \W*?\(
 
 abs
 acos
-adddate
-addtime
-aes_decrypt
-aes_encrypt
-asin
-ascii
-asciistr
-atan
-atan2
 avg
-benchmark
 bin
-bin_to_num
-bit_and
-bit_count
-bit_length
-bit_or
-bit_xor
 cast
 char
-character_length
-char_length
 charset
 chr
-ciel
-cieling
-coalesce
-coercibility
-compress
-concat
-concat_ws
-connection_id
-conv
 convert
-convert_tz
-cos
-cot
 count
-cr32
-curdate
-current_date
-current_time
-current_timestamp
-current_user
-curtime
-database
 date
-date_add
-datediff
-date_format
-date_sub
 day
-dayname
-dayofmonth
-dayofweek
-dayofyear
-dcount
-decode
 default
 degrees
-des_decrypt
-des_encrypt
-dump
 elt
-encode
-encrypt
-exp
-export_set
-extract
-extractvalue
 field
-field_in_set
-find_in_set
 floor
 format
-found_rows
-from_base64
-from_days
-from_unixtime
-get_format
-get_lock
-greatest
-group_concat
-hex
-hextoraw
 hour
 if
-ifnull
 in
-inet6_aton
-inet6_ntoa
-inet_aton
-inet_ntoa
-insert
-instr
-interval
 is
-is_free_lock
-is_ipv4
-is_ipv4_compat
-is_ipv4_mapped
-is_ipv6
-is_not
-is_not_null
-isnull
-is_null
-is_used_lock
 last
-last_day
-last_insert_id
-lcase
-least
 left
 length
 ln
-load_file
+likelihood
 local
-localtimestamp
-locate
 log
-log10
-log2
 lower
-lpad
-ltrim
-makedate
-make_set
-master_pos_wait
 max
-md5
-microsecond
-mid
 min
 minute
 mod
 month
-monthname
-name_const
-not_in
 now
-nullif
-oct
-octet_length
-old_password
-ord
 password
-period_add
-period_diff
-pg_sleep
 pi
 position
-pow
 power
-procedure_analyse
 quarter
-quote
-radians
-rand
-rawtohex
 rawtonhex
 rawtonhextoraw
-release_lock
 repeat
 replace
 reverse
 right
 round
-row_count
-rpad
-rtrim
-schema
 second
-sec_to_time
-session_user
-sha
-sha1
-sha2
 sign
-sin
 sleep
-soundex
 space
-sqrt
-std
 stddev
-stddev_pop
-stddev_samp
-strcmp
-str_to_date
-subdate
-substr
-substring
-substring_index
-subtime
 sum
-sysdate
-system_user
 tan
 time
-timediff
-time_format
-timestamp
-timestampadd
-timestampdiff
-time_to_sec
-to_base64
 to_char
 to_days
 to_nchar
 to_seconds
-trim
-truncate
-ucase
-uncompress
-uncompressed_length
-unhex
-unix_timestamp
-updatexml
+unlikely
 upper
 user
-utc_date
-utc_time
-utc_timestamp
-uuid
-uuid_short
 values
-variance
-var_pop
-var_samp
 version
 week
-weekday
-weekofyear
-weight_string
-xmltype
 year
-yearweek
diff --git a/regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra b/regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra
@@ -4,6 +4,8 @@
 ##! This list excludes command words that are prone to cause false positives
 ##! at paranoia level 1.
 
+##! Additions to this list should also result in an addition to this one: regex-assembly/942410.ra
+
 convert
 degrees
 elt

diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -1197,7 +1197,7 @@ SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 942410
 #
-SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[12]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?\(" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:(?:b|co)s|vg)|bin|c(?:(?:as|o(?:nver|un))t|h(?:ar(?:set)?|r))|d(?:a(?:te|y)|e(?:fault|grees))|elt|f(?:ield|loor|ormat)|(?:hou|quarte|yea)r|i[fns]|l(?:ast|e(?:ft|ngth)|n|ikelihood|o(?:cal|g|wer))|m(?:ax|in(?:ute)?|o(?:d|nth))|now|p(?:assword|i|o(?:sition|wer))|r(?:awtonhex(?:toraw)?|e(?:p(?:eat|lace)|verse)|ight|ound)|s(?:econd|ign|leep|pace|tddev|um)|t(?:an|ime|o_(?:n?char|(?:day|second)s))|u(?:nlikely|(?:pp|s)er)|v(?:alues|ersion)|week)[^0-9A-Z_a-z]*?\(" \
     "id:942410,\
     phase:2,\
     block,\
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,6 +4,8 @@ @@
     ##! This list excludes command words that are prone to cause false positives
     ##! at paranoia level 1.
+    ##! Additions to this list should also result in an addition to this one: regex-assembly/942410.ra
     convert
     degrees
     elt
@@ Expand Down @@