[Owasp-modsecurity-core-rule-set] False positive

Ryan Barnett rcbarnett at gmail.com
Mon Nov 30 16:19:17 EST 2009


Per my other email that I just sent out, download CRS v2.0.4 and then add the 
following exception rule to your 48 local exceptions file.

SecRule TX:/^PHPIDS-CONVERTER-COMMENT-EVASION.*ARGS:PASSWD/ "." 
"chain,phase:2,t:none,nolog,pass,setvar:tx.phpids-comment-evasion-
counter=+1,setvar:tx.phpids-comment-evasion-%{tx.phpids-comment-evasion-
counter}=%{matched_var_name}"
        SecRule TX:'/^PHPIDS-COMMENT-EVASION/' "^TX:(phpids-.*ARGS:PASSWD)$" 
"capture,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20"


Basically, the new CRS rules are setting TX variables that hold the important 
meta-data about rule matches (rather then simply directly logging them to the 
error/audit log files).  The exception above will look to see if there are any 
matches for the PHPIDS Comment Evasion rules in the parameter called "PASSWD".  
If so, it will capture each TX variable data and then expire them in the 2nd 
part of the rule.  It will then correct the anomaly score.  

Let me know if you need any more help.

--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com

On Wednesday 25 November 2009 03:31:05 am Superpizza wrote:
> Hi everyone.
> 
>  I'm a bit puzzled on how to handle a false positive
>  for a couple of rules belonging to
>  "Comment Evasion Attempt" ruleset.
>  (in modsecurity_crs_41_phpids_converter.conf)
> 
>  I've got a form taking 2 parameters, say "LOGIN" & "PASSWORD".
>  If password is set to "---aa---" rules are triggered,
>  and this causes a false positive.
>  If I well understood best practice should be modifying:
>  modsecurity_crs_48_local_exceptions.conf
>  I can't understand how to update this file in order
>  to avoid matching  parameter "PASSWORD" against
>  both of the rules.
> 
>  --7a02be68-C--
>  LOGIN=12345678&PASSWD=---aa---
>  --7a02be68-F--
>  HTTP/1.1 403 Forbidden
>  Last-Modified: Thu, 13 Nov 2008 09:30:44 GMT
> 
>  --7a02be68-H--
>  Message: Pattern match "(?:--[^-]*-)" at REQUEST_BODY. [file
>  "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpid
>  s_converter.conf"] [line "28"] [msg "Comment Evasion Attempt"] [data
>  "---"] [severity "WARNING"] [tag "WEB_ATTACK/EVASION"]
>  Message: Pattern match "(?:--[^-]*-)" at REQUEST_BODY. [file
>  "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpid
>  s_converter.conf"] [line "28"] [msg "Comment Evasion Attempt"] [data
>  "---"] [severity "WARNING"] [tag "WEB_ATTACK/EVASION"]
>  Message: Pattern match "(?:--[^-]*-)" at ARGS:PASSWD. [file
>  "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpids
>  _converter.conf"] [line "28"] [msg "Comment Evasion Attempt"] [data "---"]
>  [severity "WARNING"] [tag "WEB_ATTACK/EVASION"]
>  Message: Pattern match "(?:--[^-]*-)" at REQUEST_BODY. [file
>  "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpid
>  s_converter.conf"] [line "34"] [msg "Comment Evasion Attempt"] [data
>  "---"] [severity "WARNING"] [tag "WEB_ATTACK/EVASION"]
>  Message: Pattern match "(?:--[^-]*-)" at REQUEST_BODY. [file
>  "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpid
>  s_converter.conf"] [line "34"] [msg "Comment Evasion Attempt"] [data
>  "---"] [severity "WARNING"] [tag "WEB_ATTACK/EVASION"]
>  Message: Pattern match "(?:--[^-]*-)" at ARGS:PASSWD. [file
>  "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpids
>  _converter.conf"] [line "34"] [msg "Comment Evasion Attempt"] [data "---"]
>  [severity "WARNING"] [tag "WEB_ATTACK/EVASION"]
>  Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file
>  "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_60
>  _correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score
>   60): Comment Evasion Attempt"]
>  Action: Intercepted (phase 2)
> 
> 
>  Thanks for your help.
> 


More information about the Owasp-modsecurity-core-rule-set mailing list