[Owasp-modsecurity-core-rule-set] Rules triggering False Positives frequently

Christian Folini christian.folini at netnea.com
Mon Jan 18 12:06:27 UTC 2016


Hi theMiddle,

On Mon, Jan 18, 2016 at 10:29:42AM +0100, theMiddle wrote:
> nice post! I completely agree about these following rules:

Thank you for the thumbs up. It's always nice to hear when
people agree with a point in a post.

> My users often disable these two rules. I think that a false
> positive occurs each time these rules match a sequence of the same
> char in the URL. For example /mypost/title-of-my-new-blogpost or
> /verifyurl/sessionid----abcde1234.

In fact it is the total number of occurrences of any combination
of special characters. Which is in fact a great indicator of
any type of evil intent. But it comes with a lot of false
positives.

> Probably this shouldn't happen with a rule that match a sequence of
> differents chars in the URL (/foo/bar-john at doe(bla)).

Actually, uuids in cookies
i.e.  b079d69c-bddb-11e5-822b-9f71f5c3a1fe will really get your
WAF glowing.

Cheers,

Christian


-- 
In war you will generally find that the enemy has at any time 
three courses of action open to him. Of those three, he will 
invariably choose the fourth.
-- Helmuth Von Moltke


More information about the Owasp-modsecurity-core-rule-set mailing list