[Owasp-modsecurity-core-rule-set] Why is rule 981318 triggering?

Christian Klossek c.klossek at apodiscounter.de
Thu Aug 23 13:34:59 UTC 2012


Hi,

I'm using modsecurity 2.6.7 with CRS 2.2.5 on a debian squeeze system.

Why is the rule 981318 triggering on a GET-param with a value of "ę"
(Unicode U+0119)?

I get this in my debug log (debug level 9):
-------------------------------------
SecRule
"REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*"
"@rx
(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
"phase:2,nolog,auditlog,rev:2.2.5,capture,t:none,t:urlDecodeUni,block,msg:'SQL
Injection Attack: Common Injection Testing
Detected',id:981318,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

Expanded
"REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*"
to "REQUEST_FILENAME|ARGS_NAMES:keywords|ARGS:keywords".

T (0) urlDecodeUni: "/test.php"
Transformation completed in 13 usec.
Executing operator "rx" with param
"(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
against REQUEST_FILENAME.
Target value: "/test.php"
Operator completed in 9 usec.

T (0) urlDecodeUni: "keywords"
Transformation completed in 13 usec.
Executing operator "rx" with param
"(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
against ARGS_NAMES:keywords.
Target value: "keywords"
Operator completed in 4 usec.

T (0) urlDecodeUni: "\xc4\x99"
Transformation completed in 14 usec.
Executing operator "rx" with param
"(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
against ARGS:keywords.
Target value: "\xc4\x99"
Added regex subexpression to TX.0: \x99
Added regex subexpression to TX.1: \x99
Operator completed in 38 usec.
Setting variable: tx.msg=%{rule.msg}
Resolved macro %{rule.msg} to: SQL Injection Attack: Common Injection
Testing Detected
..
..
-------------------------------------------

Thanks for your help

Christian


More information about the Owasp-modsecurity-core-rule-set mailing list