[Owasp-modsecurity-core-rule-set] False positive on rule 920300

Christian Folini christian.folini at netnea.com
Tue Nov 15 19:40:24 UTC 2016


Kamil,

Thanks for reporting.

You are facing the following alerts:

920300 REQUEST_HEADERS:User-Agent     Request Missing an Accept Header
920300 REQUEST_HEADERS:User-Agent     Request Missing an Accept Header
942260 REQUEST_COOKIES:OutlookSession Detects basic SQL auth bypass
942260 REQUEST_COOKIES:OutlookSession Detects basic SQL auth bypass

920300 is usually legitimate and likely points to a client not sending
the accept header like it should. This is a widespread misbehaviour.
That is why we pushed the rule to paranoia level 2. You are apparently
running PL2 or higher. You should thus tune this alert away via a rule
exclusion.

The 942260 is likely also legitimate. It's just that your poor client
has a session cookie smelling of SQL authentication bypass. You
should exclude the said cookie from the list of parameters examined
by 942260.

My tutorials at https://www.netnea.com/cms/apache-tutorials give 
you detailed step by step instructions how to do this.

Best,

Christian



On Tue, Nov 15, 2016 at 05:54:52PM +0100, kamil kapturkiewicz wrote:
> Hi,
> I have had this issue with previous 2.2.9 version, but I am not really sure is related to mod_security it self or to CRS. The problem is with some Windows machines, below is the example from one of our corporate user, who is working on Windows 7 machine. I am pretty sure machine is not infected by malware or something, and this problem occures on FF, Chrome, Opera and IE. But in combination with fail2ban, this cut him off from web server every time he is trying to access company website. Do 
> you guys have any idea what is causing this?
> 
> [Tue Nov 15 16:26:41.962933 2016] [:error] [pid 31434] [client 213.81.82.201] ModSecurity: Warning. Match of "pm 
> AppleWebKit Android" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/share/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1251"] [id "920300"] [rev "3"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag 
> "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "paranoia-level/2"] [hostname "domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id "WCs3QX8AAQEAAHrKJTMAAAAF"]
> [Tue Nov 15 16:26:41.963976 2016] [:error] [pid 31434] [client 213.81.82.201] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`])|(?:like\\\\s*?[\\"'`]\\\\%)|(?:[\\"'`]\\\\s*?like\\\\W*?[\\"'`\\\\d])|(?:[\\"'`]\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?h ..." at REQUEST_COOKIES:OutlookSession. [file 
> "/usr/share/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: \\x22{BB1B2590-E found within REQUEST_COOKIES:OutlookSession: \\x22{BB1B2590-EEE9-451E-9ABD-B75491F282EE}\\x22"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag 
> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id "WCs3QX8AAQEAAHrKJTMAAAAF"]
> [Tue Nov 15 16:26:44.390517 2016] [:error] [pid 31254] [client 213.81.82.201] ModSecurity: Warning. Match of "pm AppleWebKit Android" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/share/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1251"] [id "920300"] [rev "3"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag 
> "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "paranoia-level/2"] [hostname "domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id "WCs3RH8AAQEAAHoWjIUAAAAD"]
> [Tue Nov 15 16:26:44.391535 2016] [:error] [pid 31254] [client 213.81.82.201] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`])|(?:like\\\\s*?[\\"'`]\\\\%)|(?:[\\"'`]\\\\s*?like\\\\W*?[\\"'`\\\\d])|(?:[\\"'`]\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?h ..." at REQUEST_COOKIES:OutlookSession. [file 
> "/usr/share/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: \\x22{BB1B2590-E found within REQUEST_COOKIES:OutlookSession: \\x22{BB1B2590-EEE9-451E-9ABD-B75491F282EE}\\x22"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag 
> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id "WCs3RH8AAQEAAHoWjIUAAAAD"]
> 
> 
> 
> 
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


More information about the Owasp-modsecurity-core-rule-set mailing list