[Owasp-modsecurity-core-rule-set] Rules triggering False Positives frequently

Christian Folini christian.folini at netnea.com
Mon Jan 18 12:06:27 UTC 2016

Hi theMiddle,

On Mon, Jan 18, 2016 at 10:29:42AM +0100, theMiddle wrote:
> nice post! I completely agree about these following rules:

Thank you for the thumbs up. It's always nice to hear when
people agree with a point in a post.

> My users often disable these two rules. I think that a false
> positive occurs each time these rules match a sequence of the same
> char in the URL. For example /mypost/title-of-my-new-blogpost or
> /verifyurl/sessionid----abcde1234.

In fact it is the total number of occurrences of any combination
of special characters. Which is in fact a great indicator of
any type of evil intent. But it comes with a lot of false

> Probably this shouldn't happen with a rule that match a sequence of
> differents chars in the URL (/foo/bar-john at doe(bla)).

Actually, uuids in cookies
i.e.  b079d69c-bddb-11e5-822b-9f71f5c3a1fe will really get your
WAF glowing.



In war you will generally find that the enemy has at any time 
three courses of action open to him. Of those three, he will 
invariably choose the fourth.
-- Helmuth Von Moltke

More information about the Owasp-modsecurity-core-rule-set mailing list