coreruleset · fzipi · Feb 17, 2026 · Feb 16, 2026 · Feb 17, 2026
diff --git a/regex-assembly/951220.ra b/regex-assembly/951220.ra
@@ -0,0 +1,40 @@
+##! Please refer to the documentation at
+##! https://coreruleset.org/docs/development/regex_assembly/.
+
+##!+ i
+
+##! .NET Exception Classes
+System\.Data\.OleDb\.OleDbException
+\[SqlException
+System\.Data\.SqlClient\.SqlException
+Exception.*\WSystem\.Data\.SqlClient\.
+
+##! ODBC/JDBC Drivers
+\[Microsoft\]\[ODBC SQL Server Driver\]
+\[Macromedia\]\[SQLServer JDBC Driver\]
+Driver.*SQL[ _-]*Server
+
+##! OLE DB Providers
+Microsoft OLE DB Provider for ODBC Drivers
+Microsoft OLE DB Provider for SQL Server
+OLE DB.*SQL Server
+
+##! SQL Syntax Errors
+Incorrect syntax near
+Sintaxis incorrecta cerca de
+Syntax error in string in query expression
+Syntax error .* in query expression
+Unclosed quotation mark after the character string
+Unclosed quotation mark before the character string
+Procedure or function '.{1,128}' expects parameter
+Data type mismatch in criteria expression\.
+
+##! Error Codes and Messages
+'80040e14'
+ADODB\.Field \(0x800A0BCD\)
+the used select statements have different number of columns
+Conversion failed when converting the varchar value .*? to data type int\.
+
+##! PHP Warnings
+mssql_query\(\)
+Warning.*mssql_.*
diff --git a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
@@ -307,7 +307,12 @@ SecRule RESPONSE_BODY "@rx (?i)Warning.{1,10}maxdb[\(\):_a-z]{1,26}:" \
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
 
-SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function '.{1,128}' expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|Exception.*\WSystem\.Data\.SqlClient\.|Conversion failed when converting the varchar value .*? to data type int\.)" \
+# Regular expression generated from regex-assembly/951220.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 951220
+#
+SecRule RESPONSE_BODY "@rx (?i)S(?:y(?:stem\.Data\.(?:OleDb\.OleDb|SqlClient\.Sql)Except|ntax error (?:in string|.*) in query express)ion|intaxis incorrecta cerca de)|\[(?:SqlException|M(?:icrosoft\]\[ODBC SQL Server|acromedia\]\[SQLServer JDBC) Driver\])|(?:Exception.*[^0-9A-Z_a-z]System\.Data\.SqlClie|Conversion failed when converting the varchar value .*? to data type i)nt\.|D(?:river.*SQL[ \-_]*Server|ata type mismatch in criteria expression\.)|Microsoft OLE DB Provider for (?:ODBC Drivers|SQL Server)|(?:(?:OLE DB.*SQL Serv|Procedure or function '.{1,128}' expects paramet)e|Incorrect syntax nea)r|Unclosed quotation mark (?:after|before) the character string|'80040e14'|(?:ADODB\.Field \(0x800A0BCD|mssql_query\()\)|the used select statements have different number of columns|Warning.*mssql_.*" \
     "id:951220,\
     phase:4,\
     block,\