[Owasp-modsecurity-core-rule-set] Rules triggering False Positives frequently

Christian Folini christian.folini at netnea.com
Mon Jan 18 04:30:18 UTC 2016

Hi there,

ModSecurity – or any WAF for that matter – produces false positives. If
it does not produce false positives, then it’s probably dead. A strict
ruleset like the OWASP ModSecurity Core Rules brings a lot of false
positives and it takes some tuning to get to a reasonable level of
alerts. If you have tuned a few services, then some of the rules will
become familiar to you. But which ones are these rules?

I have assembled them in a blogpost at:

Naturally, these rules are candidates to be moved to the said
paranoia mode.

Here are the most frequent "offenders" based on my experience (=
customer sites).

950901 	SQL Injection Attack: SQL Tautology Detected.
959073 	SQL Injection Attack
960015 	Request Missing an Accept Header
960017 	Host header is a numeric IP address
960024 	Meta-Character Anomaly Detection Alert – Repetative Non-Word ...
981172 	Restricted SQL Character Anomaly Detection Alert – Total # ...
981173 	Restricted SQL Character Anomaly Detection Alert – Total # ...
981231 	SQL Comment Sequence Detected
981243 	Detects classic SQL injection probings 2/2
981248 	Detects chained SQL injection attempts 1/2
981260 	SQL Hex Encoding Identified

Comments welcome.

Have a good week, everybody!


You don't have to be great to start, but you have to 
start to be great. 
-- Zig Ziglar

More information about the Owasp-modsecurity-core-rule-set mailing list