[Owasp-modsecurity-core-rule-set] False positive
Ryan Barnett
rcbarnett at gmail.com
Mon Nov 30 16:19:17 EST 2009
Per my other email that I just sent out, download CRS v2.0.4 and then add the
following exception rule to your 48 local exceptions file.
SecRule TX:/^PHPIDS-CONVERTER-COMMENT-EVASION.*ARGS:PASSWD/ "."
"chain,phase:2,t:none,nolog,pass,setvar:tx.phpids-comment-evasion-
counter=+1,setvar:tx.phpids-comment-evasion-%{tx.phpids-comment-evasion-
counter}=%{matched_var_name}"
SecRule TX:'/^PHPIDS-COMMENT-EVASION/' "^TX:(phpids-.*ARGS:PASSWD)$"
"capture,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20"
Basically, the new CRS rules are setting TX variables that hold the important
meta-data about rule matches (rather then simply directly logging them to the
error/audit log files). The exception above will look to see if there are any
matches for the PHPIDS Comment Evasion rules in the parameter called "PASSWD".
If so, it will capture each TX variable data and then expire them in the 2nd
part of the rule. It will then correct the anomaly score.
Let me know if you need any more help.
--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com
On Wednesday 25 November 2009 03:31:05 am Superpizza wrote:
> Hi everyone.
>
> I'm a bit puzzled on how to handle a false positive
> for a couple of rules belonging to
> "Comment Evasion Attempt" ruleset.
> (in modsecurity_crs_41_phpids_converter.conf)
>
> I've got a form taking 2 parameters, say "LOGIN" & "PASSWORD".
> If password is set to "---aa---" rules are triggered,
> and this causes a false positive.
> If I well understood best practice should be modifying:
> modsecurity_crs_48_local_exceptions.conf
> I can't understand how to update this file in order
> to avoid matching parameter "PASSWORD" against
> both of the rules.
>
> --7a02be68-C--
> LOGIN=12345678&PASSWD=---aa---
> --7a02be68-F--
> HTTP/1.1 403 Forbidden
> Last-Modified: Thu, 13 Nov 2008 09:30:44 GMT
>
> --7a02be68-H--
> Message: Pattern match "(?:--[^-]*-)" at REQUEST_BODY. [file
> "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpid
> s_converter.conf"] [line "28"] [msg "Comment Evasion Attempt"] [data
> "---"] [severity "WARNING"] [tag "WEB_ATTACK/EVASION"]
> Message: Pattern match "(?:--[^-]*-)" at REQUEST_BODY. [file
> "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpid
> s_converter.conf"] [line "28"] [msg "Comment Evasion Attempt"] [data
> "---"] [severity "WARNING"] [tag "WEB_ATTACK/EVASION"]
> Message: Pattern match "(?:--[^-]*-)" at ARGS:PASSWD. [file
> "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpids
> _converter.conf"] [line "28"] [msg "Comment Evasion Attempt"] [data "---"]
> [severity "WARNING"] [tag "WEB_ATTACK/EVASION"]
> Message: Pattern match "(?:--[^-]*-)" at REQUEST_BODY. [file
> "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpid
> s_converter.conf"] [line "34"] [msg "Comment Evasion Attempt"] [data
> "---"] [severity "WARNING"] [tag "WEB_ATTACK/EVASION"]
> Message: Pattern match "(?:--[^-]*-)" at REQUEST_BODY. [file
> "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpid
> s_converter.conf"] [line "34"] [msg "Comment Evasion Attempt"] [data
> "---"] [severity "WARNING"] [tag "WEB_ATTACK/EVASION"]
> Message: Pattern match "(?:--[^-]*-)" at ARGS:PASSWD. [file
> "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpids
> _converter.conf"] [line "34"] [msg "Comment Evasion Attempt"] [data "---"]
> [severity "WARNING"] [tag "WEB_ATTACK/EVASION"]
> Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file
> "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_60
> _correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score
> 60): Comment Evasion Attempt"]
> Action: Intercepted (phase 2)
>
>
> Thanks for your help.
>
More information about the Owasp-modsecurity-core-rule-set
mailing list