This is a draft, I'm working to a more stricter version for SQLite and PostgreSQL in order to avoid FPs

@theMiddleBlue We don't seem to match against this example, which appears to be path-based (original example screenshot):

curl -H 'x-crs-version: nightly' -H 'x-crs-paranoia-level: 4' -H 'x-backend: apache' -H 'x-format-output: txt-matched-rules' "https://sandbox.coreruleset.org/blah/\"\}'%20and%20data%20@>%20'\{\"a\":\"a\"\}'%20union%20select%20ASCII(s.token)%20from%20unnset(string_to_array((select%20cookie%20from%20cookie%20limit%201%20),NULL))%20s(token)--/state?sig=1&timeStamp=50"

We don't catch it when the attack is in the path, but we do catch it when it's in ARGS as a query string parameter:

curl -H 'x-crs-version: nightly' -H 'x-crs-paranoia-level: 4' -H 'x-backend: apache' -H 'x-format-output: txt-matched-rules' "https://sandbox.coreruleset.org/blah?param=\"\}'%20and%20data%20@>%20'\{\"a\":\"a\"\}'%20union%20select%20ASCII(s.token)%20from%20unnset(string_to_array((select%20cookie%20from%20cookie%20limit%201%20),NULL))%20s(token)--/state?sig=1&timeStamp=50"
⋮
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=90, detection=90, per_pl=15-56-11-8, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=70, XSS=5, RFI=0, LFI=0, RCE=10, PHPI=0, HTTP=0, SESS=0)

thanks @RedXanadu !