[Owasp-modsecurity-core-rule-set] Rule Set is being violated on modsecurity_crs_41_phpids_converter.conf line 70

Josh Amishav-Zlatin jamuse at gmail.com
Tue Mar 8 15:45:48 EST 2011


On Tue, Mar 8, 2011 at 9:59 PM, Mirabito, Massimo (Max) (CDC/OID/OD)
(CTR) <mcm8 at cdc.gov> wrote:
> Dear All
>
>
>
> We are having difficulty with one of our applications as it appears that
> mod_security is blocking some of the content thinking that it is a
> vulnerability.
>
> We are running Apache version 2.2 with mod_security version 2.05
>
>
>
>
>
> The url that is giving us problems is as follows:
>
> https://myserver.com/MYAPP/nt/chart/run.do?t=tcg&m=cot/trend&f=png&r=3&y=2005+to+2009&d=labels_x:[2005,2006,2007,2008,2009,-8.88888888E8,2015];tlabels_x:[2005,2006,2007,2008,2009];g:[[89.690721649,86.746987952,91.946308725,90,85.135135135,-8.88888888E8,null],[90,85,87,89,90,-8.88888888E8,null],[83.209136562,83.894290701,84.484373669,81.189229619,64.743991641,-8.88888888E8,null],[null,null,null,null,null,-8.88888888E8,93]];t:[[194,166,149,150,148],[184,155,144,141,130],[174,144,137,135,126],[10,11,5,9,18]]&c=0+0+0+0+1&rid=1
>
>
>
> The peculiar thing is that a similar url runs properly, see below
>
> https:// myserver.com/MYAPP/nt/chart/run.do?
> t=pct&m=cot/outcomes&f=png&r=3&y=2009&d=p:[[148,100],[126,85.135135135],[4,2.7027027027],[0,0],[2,1.3513513514],[1,0.6756756757],[15,10.135135135]]&&rid=1
>
>
>
> The logs show the following rule being violated:
>
> Message: Pattern match "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" at
> ARGS:d. [file
> "C:/Apache2.2/conf/mod_security/base_rules/modsecurity_crs_41_phpids_converter.conf"]
> [line "70"] [id "973016"] [msg "Basic Charcode Pattern Found"] [data
> "2005,2006,2007,2008,2009,-8.88888888e3"]
>
>
>
> The rule in question is located in modsecurity_crs_41_phpids_converter.conf
>  - line 70
>
> SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\*
> ]+)){4,}"
> "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Basic
> Charcode Pattern
> Found',id:'973016',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
>
>
>
> My coworker discovered that if we modify a portion of the rule then we are
> able to run the application properly. In particular if we modify {4} to {10}
>  then things begin working
>
> SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\*
> ]+)){4,}" …… TO ……. SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\*
> ]+(?:\s?,\s?[\d+-=\/\* ]+)){10,}"
>
>
>
> We are concerned that by making this change we either inadvertently make our
> security weaker or break other things. So we are wondering if the rule has
> an inherit problem and is there a way to either resolve it or by pass it or
> any other best practice.

Hi Mirabito,

Earlier versions of the PHP IDS rules were false positive prone. That
ruleset has subsequently been converted to Lua. Consider upgrading the
core rule set or disabling that rule for the effected script.

--
 - Josh


More information about the Owasp-modsecurity-core-rule-set mailing list