[Owasp-modsecurity-core-rule-set] Restricted SQL Character Anomaly Detection Alert and Roundcube mail

Thomas D. Dahlmann domingo at domingo.dk
Mon Sep 12 16:25:45 EDT 2011


Just tried 2.2.2, still complaining:

--6e29976e-A--
[12/Sep/2011:22:20:57 +0200] Tm5pqH8AAQEAAD7NK34AAAAL 192.168.255.126 
39065 x.x.x.x 443
--6e29976e-B--
GET 
/?_task=mail&_remote=1&_action=check-recent&_t=1315858856789&_mbox=INBOX&_list=1&_=1315858856790&_unlock=0 
HTTP/1.1
Host: example.com
Connection: keep-alive
Referer: https://example.com/?_task=mail
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 (KHTML, like 
Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
X-Roundcube-Request: 0f3bcbcd36d0e4e2c4eab5f23ccfc971
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mailviewsplitterv=165; 
wp-settings-1=editor%3Dtinymce%26m4%3Do%26m0%3Do%26uploader%3D1; 
wp-settings-time-1=1314128296; 
roundcube_sessid=1b7ae7d350aca9dcc89493a63a2dbd24

--6e29976e-F--
HTTP/1.1 200 OK
Expires: Mon, 12 Sep 2011 20:20:57 GMT
Cache-Control: private, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 20:20:57 GMT
X-DNS-Prefetch-Control: off
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 96
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain; charset=UTF-8

--6e29976e-H--
Message: Pattern match 
"([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*){6,}" 
at REQUEST_COOKIES:wp-settings-1. [file 
"/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] 
[line "521"] [id "981172"] [rev "2.2.2"] [msg "Restricted SQL Character 
Anomaly Detection Alert - Total # of special characters exceeded"] [data 
"=1"]
Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. 
[file 
"/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_60_correlation.conf"] 
[line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound 
Score: 3, SQLi=1, XSS=): Restricted SQL Character Anomaly Detection 
Alert - Total # of special characters exceeded"]
Stopwatch: 1315858856891692 385196 (- - -)
Stopwatch2: 1315858856891692 385196; combined=80816, p1=844, p2=79444, 
p3=11, p4=197, p5=317, sr=305, sw=3, l=0, gc=0
Producer: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/); 
core ruleset/2.2.2.
Server: Apache/2.2.14 (Ubuntu)

--6e29976e-Z--

/Thomas

On 2011-09-02 18:48, Ryan Barnett wrote:
> Can you try the SVN trunk version (v2.2.2)?
>
> http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_
> rules/modsecurity_crs_41_sql_injection_attacks.conf
>
> I tried your complete transaction and the same category of check triggered
> for a Cookie value -
>
> [Fri Sep 02 12:41:07 2011] [error] [client 127.0.0.1] ModSecurity:
> Warning. Pattern match
> "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\
> \\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\
> \\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*){6,}" at
> REQUEST_COOKIES:wp-settings-1. [file
> "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_41_sql_injectio
> n_attacks.conf"] [line "521"] [id "981172"] [rev "2.2.2"] [msg "Restricted
> SQL Character Anomaly Detection Alert - Total # of special characters
> exceeded"] [data "=1"] [hostname "example.com"] [uri "/"] [unique_id
> "TmEHIcCoqAEAALzcEnkAAAAI"
>
>
>
> That wp-settings-1 cookie payload decodes to -
>
> wp-settings-1=editor=tinymce&m4=o&m0=o&uploader=1
>
> And the rule triggered on having a bunck of = and&  chars in it.
>
> -Ryan
>
>
> On 9/2/11 10:27 AM, "Thomas D. Dahlmann"<domingo at domingo.dk>  wrote:
>
>> Hi
>>
>> I've got the bellow shown exception when I try to hit my webmail site.
>>
>> What kind of "bad" characters is the rule complaining about in this
>> request?
>>
>>
>> --63235740-A--
>> [02/Sep/2011:15:59:55 +0200] TmDhWX8AAQEAAClL2qkAAAAJ x.x.x.x 28681
>> 2.2.2.2 443
>> --63235740-B--
>> GET
>> /?_task=mail&_remote=1&_action=list&_mbox=RoundCube&_page=1&_refresh=1&_=1
>> 314971993364&_unlock=loading1314971993363
>> HTTP/1.1
>> Host: example.com
>> Connection: keep-alive
>> Referer: https://example.com/
>> X-Requested-With: XMLHttpRequest
>> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML,
>> like Gecko) Chrome/13.0.782.215 Safari/535.1
>> Accept: application/json, text/javascript, */*; q=0.01
>> X-Roundcube-Request: b7aa8fc451317a76730a72f69fbb3e9e
>> Accept-Encoding: gzip,deflate,sdch
>> Accept-Language: en-US,en;q=0.8
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
>> Cookie: addressviewsplitter=250; prefsviewsplitter=195;
>> identviewsplitter=300; mailviewsplitter=291; sieverulesviewsplitter=245;
>> wp-settings-1=editor%3Dtinymce%26m4%3Do%26m0%3Do%26uploader%3D1;
>> wp-settings-time-1=1308940613; mailviewsplitterv=165;
>> roundcube_sessid=27cd4d0e05639619d9fa8684a6401300
>>
>> --63235740-F--
>> HTTP/1.1 200 OK
>> Expires: Fri, 02 Sep 2011 13:59:55 GMT
>> Cache-Control: private, no-cache, must-revalidate, post-check=0,
>> pre-check=0
>> Pragma: no-cache
>> Last-Modified: Fri, 02 Sep 2011 13:59:55 GMT
>> X-DNS-Prefetch-Control: off
>> Vary: Accept-Encoding
>> Content-Encoding: gzip
>> Content-Length: 1983
>> Keep-Alive: timeout=15, max=91
>> Connection: Keep-Alive
>> Content-Type: text/plain; charset=UTF-8
>>
>> --63235740-H--
>> Message: Operator GE matched 4 at TX:restricted_sqli_char_count. [file
>> "/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_41_sql_injec
>> tion_attacks.conf"]
>> [line "551"] [id "981173"] [rev "2.2.1"] [msg "Restricted SQL Character
>> Anomaly Detection Alert - Total # of special characters exceeded"] [data
>> "4"]
>> Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score.
>> [file
>> "/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_60_correlati
>> on.conf"]
>> [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound
>> Score: 3, SQLi=5, XSS=): Restricted SQL Character Anomaly Detection
>> Alert - Total # of special characters exceeded"]
>> Stopwatch: 1314971993379011 2207359 (- - -)
>> Stopwatch2: 1314971993379011 2207359; combined=125219, p1=1234,
>> p2=123185, p3=109, p4=385, p5=303, sr=387, sw=3, l=0, gc=0
>> Producer: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/);
>> core ruleset/2.2.1.
>> Server: Apache/2.2.14 (Ubuntu)
>>
>> --63235740-Z--
>>
>>
>> /Thomas
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>>
>
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
>



More information about the Owasp-modsecurity-core-rule-set mailing list