[Owasp-modsecurity-core-rule-set] Paranoia Mode: Controversial candidate 950120 / 931130 (Possible RFI)

Christian Folini christian.folini at netnea.com
Tue Feb 2 08:06:00 UTC 2016


Hello,

Walter has added substantial feedback on the list of possible paranoia
mode candidates. I think 8 candidates are controversial (out of about 45
candidates).

I'd like to discuss them here one by one.

Controversial Paranoia Mode Candidate 950120 (2.2.X) / 931130 (3.0.0rc1)
msg: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link 

Rule in 2.2.9:
SecRule ARGS "^(?:ht|f)tps?://(.*)$" \
        "chain,phase:2,rev:'3',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950120',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI'"
        SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"

Rule in 3.0.0rc1:
SecRule ARGS "^(?:ht|f)tps?://(.*)$" \
	"chain,\
	phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	id:'931130',\
	severity:'CRITICAL',\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-remote file inclusion',\
	tag:'OWASP_CRS/WEB_ATTACK/RFI'"
        	SecRule TX:1 "!@beginsWith %{request_headers.host}" \
			"setvar:'tx.msg=%{rule.msg}',\
			setvar:tx.rfi_score=+%{tx.critical_anomaly_score},\
			setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
			setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"

Rule in 2.2.9:
SecRule ARGS "^(?:ht|f)tps?://(.*)$" \
        "chain,phase:2,rev:'3',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950120',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI'"
        SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"


In my blogpost at
https://www.netnea.com/cms/2016/01/17/most-frequent-false-positives-triggered-by-owasp-modsecurity-core-rules-2-2-x/
I identified the said rule as one with very few false positives. Walter however brought it up as a rule with many false positives.

A wider perspective is thus needed.

Does anybody has anything to add?

Best,

Christian


-- 
mailto:christian.folini at netnea.com
http://www.christian-folini.ch
twitter: @ChrFolini


More information about the Owasp-modsecurity-core-rule-set mailing list