[Owasp-modsecurity-core-rule-set] Potential false positive?

Ryan Barnett RBarnett at trustwave.com
Sat Jan 7 15:58:07 UTC 2012


Joakim,
Thanks for posting to the list.  You can also open a jira ticket for the CRS here - https://www.modsecurity.org/tracker/

Looks like we will want to review those SQL Injection rules to tune them a bit better.  We added a bunch of rules as a result of the SQLi Challenge results - http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html

While these new rules do help to reduce false negatives for SQLi, there seem to be a fair amount of false positives.

We can probably look to update the regex as this is triggering on "div". The quick fix for you would be to use SecRuleUpdateTargetById to remove REQUEST_FILENAME from the list - http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html

Ryan

On Jan 7, 2012, at 9:26 AM, "Joakim Schramm" <joakim at astrocalc.com> wrote:

> Hi List,
>
> my first post here so hope I get it right.
>
> Setting up and testing a site I run in to what I think is a false
> positive block, at least it doesn't make sense to me. The hit or hits I
> may say as 3 rules seem to be triggered and a 4th as a result there of,
> comes from an url item in a css file pointing to a image file. How that
> can be judged as an critical web attack and sql injection attempt is
> over my head, although I understand there probably exists a logical
> explaination... and can it possibly be that these rules should exclude
> common image files?
>
> Anyway, here is the related log lines and I hope it's understandable as
> there is no way to format it here. I have disguised ip and host names.
>
> [Sat Jan 07 12:55:18 2012] [error] [client 213.xxx.xxx.xxx] ModSecurity:
> Warning. Pattern match
> "(?i:(?:\\\\d(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)\\\\s+(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)\\\\s+\\\\d)|(?:^admin\\\\s*(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)|(\\\\/\\\\*)+(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)+\\\\s?(?:--|#|\\\\/\\\\*|{)?)|(?:(\\"|'|
> ..." at REQUEST_FILENAME. [file
> "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "533"] [id "981244"] [msg "Detects basic SQL authentication bypass
> attempts 1/3"] [data "div"] [severity "CRITICAL"] [tag
> "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
> [hostname "shop.domain.com"] [uri
> "/skin/frontend/domain/default/images/bkg_divider1.gif"] [unique_id
> "TwhAtsCoAWgAADYlFsAAAAAF"]
> [Sat Jan 07 12:55:18 2012] [error] [client 213.xxx.xxx.xxx] ModSecurity:
> Warning. Pattern match
> "(?i:(?:@.+=\\\\s*\\\\(\\\\s*select)|(?:\\\\d+\\\\s*x?or|div|like|between|and\\\\s*\\\\d+\\\\s*[\\\\-+])|(?:\\\\/\\\\w+;?\\\\s+(?:having|and|x?or|div|like|between|and|select)\\\\W)|(?:\\\\d\\\\s+group\\\\s+by.+\\\\()|(?:(?:;|#|--)\\\\s*(?:drop|alter))|(?:(?:;|#|--)\\\\s*(?:update|insert)\\\\s
> ..." at REQUEST_FILENAME. [file
> "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "539"] [id "981248"] [msg "Detects chained SQL injection attempts
> 1/2"] [data "div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag
> "WEB_ATTACK/ID"] [hostname "shop.domain.com"] [uri
> "/skin/frontend/domain/default/images/bkg_divider1.gif"] [unique_id
> "TwhAtsCoAWgAADYlFsAAAAAF"]
> [Sat Jan 07 12:55:18 2012] [error] [client 213.xxx.xxx.xxx] ModSecurity:
> Warning. Pattern match
> "(?i:(?:(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)\\\\s*\\\\*.+(?:x?or|div|like|between|and|id)\\\\W*(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)\\\\d)|(?:\\\\^(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98))|(?:^[\\\\w\\\\s(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)-]+(
> ..." at REQUEST_FILENAME. [file
> "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "573"] [id "981243"] [msg "Detects classic SQL injection probings
> 2/2"] [data "div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag
> "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"] [hostname "shop.domain.com"]
> [uri "/skin/frontend/domain/default/images/bkg_divider1.gif"] [unique_id
> "TwhAtsCoAWgAADYlFsAAAAAF"]
> [Sat Jan 07 12:55:18 2012] [error] [client 213.xxx.xxx.xxx] ModSecurity:
> Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file
> "/etc/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line
> "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
> Score: 19, SQLi=, XSS=): 981243-Detects classic SQL injection probings
> 2/2"] [hostname "shop.domain.com"] [uri
> "/skin/frontend/domain/default/images/bkg_divider1.gif"] [unique_id
> "TwhAtsCoAWgAADYlFsAAAAAF"]
>
> The css line that triggers looks like this:
> .dashboard .box .box-title { background:url(../images/bkg_divider1.gif)
> 0 100% repeat-x; padding:0 0 2px; margin:0 0 8px; text-align:right; }
>
> Nothing scary really but how can this false positive be avoided? Is it
> best to improve the regexp or can well known image files be filtered out
> any other way?
>
> TIA,
>
> Joakim
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.



More information about the Owasp-modsecurity-core-rule-set mailing list