[Owasp-modsecurity-core-rule-set] Potential false positive?

Joakim Schramm joakim at astrocalc.com
Sat Jan 7 14:14:42 UTC 2012


Hi List,

my first post here so hope I get it right.

Setting up and testing a site I run in to what I think is a false 
positive block, at least it doesn't make sense to me. The hit or hits I 
may say as 3 rules seem to be triggered and a 4th as a result there of, 
comes from an url item in a css file pointing to a image file. How that 
can be judged as an critical web attack and sql injection attempt is 
over my head, although I understand there probably exists a logical 
explaination... and can it possibly be that these rules should exclude 
common image files?

Anyway, here is the related log lines and I hope it's understandable as 
there is no way to format it here. I have disguised ip and host names.

[Sat Jan 07 12:55:18 2012] [error] [client 213.xxx.xxx.xxx] ModSecurity: 
Warning. Pattern match 
"(?i:(?:\\\\d(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)\\\\s+(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)\\\\s+\\\\d)|(?:^admin\\\\s*(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)|(\\\\/\\\\*)+(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)+\\\\s?(?:--|#|\\\\/\\\\*|{)?)|(?:(\\"|'| 
..." at REQUEST_FILENAME. [file 
"/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] 
[line "533"] [id "981244"] [msg "Detects basic SQL authentication bypass 
attempts 1/3"] [data "div"] [severity "CRITICAL"] [tag 
"WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"] 
[hostname "shop.domain.com"] [uri 
"/skin/frontend/domain/default/images/bkg_divider1.gif"] [unique_id 
"TwhAtsCoAWgAADYlFsAAAAAF"]
[Sat Jan 07 12:55:18 2012] [error] [client 213.xxx.xxx.xxx] ModSecurity: 
Warning. Pattern match 
"(?i:(?:@.+=\\\\s*\\\\(\\\\s*select)|(?:\\\\d+\\\\s*x?or|div|like|between|and\\\\s*\\\\d+\\\\s*[\\\\-+])|(?:\\\\/\\\\w+;?\\\\s+(?:having|and|x?or|div|like|between|and|select)\\\\W)|(?:\\\\d\\\\s+group\\\\s+by.+\\\\()|(?:(?:;|#|--)\\\\s*(?:drop|alter))|(?:(?:;|#|--)\\\\s*(?:update|insert)\\\\s 
..." at REQUEST_FILENAME. [file 
"/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] 
[line "539"] [id "981248"] [msg "Detects chained SQL injection attempts 
1/2"] [data "div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag 
"WEB_ATTACK/ID"] [hostname "shop.domain.com"] [uri 
"/skin/frontend/domain/default/images/bkg_divider1.gif"] [unique_id 
"TwhAtsCoAWgAADYlFsAAAAAF"]
[Sat Jan 07 12:55:18 2012] [error] [client 213.xxx.xxx.xxx] ModSecurity: 
Warning. Pattern match 
"(?i:(?:(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)\\\\s*\\\\*.+(?:x?or|div|like|between|and|id)\\\\W*(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)\\\\d)|(?:\\\\^(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98))|(?:^[\\\\w\\\\s(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)-]+( 
..." at REQUEST_FILENAME. [file 
"/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] 
[line "573"] [id "981243"] [msg "Detects classic SQL injection probings 
2/2"] [data "div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag 
"WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"] [hostname "shop.domain.com"] 
[uri "/skin/frontend/domain/default/images/bkg_divider1.gif"] [unique_id 
"TwhAtsCoAWgAADYlFsAAAAAF"]
[Sat Jan 07 12:55:18 2012] [error] [client 213.xxx.xxx.xxx] ModSecurity: 
Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file 
"/etc/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line 
"37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound 
Score: 19, SQLi=, XSS=): 981243-Detects classic SQL injection probings 
2/2"] [hostname "shop.domain.com"] [uri 
"/skin/frontend/domain/default/images/bkg_divider1.gif"] [unique_id 
"TwhAtsCoAWgAADYlFsAAAAAF"]

The css line that triggers looks like this:
.dashboard .box .box-title { background:url(../images/bkg_divider1.gif) 
0 100% repeat-x; padding:0 0 2px; margin:0 0 8px; text-align:right; }

Nothing scary really but how can this false positive be avoided? Is it 
best to improve the regexp or can well known image files be filtered out 
any other way?

TIA,

Joakim


More information about the Owasp-modsecurity-core-rule-set mailing list