[Owasp-modsecurity-core-rule-set] Rules triggering False Positives frequently
christian.folini at netnea.com
Mon Jan 18 04:30:18 UTC 2016
ModSecurity – or any WAF for that matter – produces false positives. If
it does not produce false positives, then it’s probably dead. A strict
ruleset like the OWASP ModSecurity Core Rules brings a lot of false
positives and it takes some tuning to get to a reasonable level of
alerts. If you have tuned a few services, then some of the rules will
become familiar to you. But which ones are these rules?
I have assembled them in a blogpost at:
Naturally, these rules are candidates to be moved to the said
Here are the most frequent "offenders" based on my experience (=
950901 SQL Injection Attack: SQL Tautology Detected.
959073 SQL Injection Attack
960015 Request Missing an Accept Header
960017 Host header is a numeric IP address
960024 Meta-Character Anomaly Detection Alert – Repetative Non-Word ...
981172 Restricted SQL Character Anomaly Detection Alert – Total # ...
981173 Restricted SQL Character Anomaly Detection Alert – Total # ...
981231 SQL Comment Sequence Detected
981243 Detects classic SQL injection probings 2/2
981248 Detects chained SQL injection attempts 1/2
981260 SQL Hex Encoding Identified
Have a good week, everybody!
You don't have to be great to start, but you have to
start to be great.
-- Zig Ziglar
More information about the Owasp-modsecurity-core-rule-set