[Owasp-modsecurity-core-rule-set] False positive on rule 920300

Jose Pablo Valcárcel Lázaro pablo.valcarcel1980 at gmail.com
Tue Nov 15 17:23:23 UTC 2016


Hello.

What I can read from logs is that you have 3 errors:
A) Warning about User-Agent required..normally when you use a browser you
send your User-Agent to the web server:"REQUEST_HEADERS:User-Agent"
required. I'm not sure if that computer is hidding it in someway and that's
the reason of that warning

B)Notice concerning about protocol enforcement: Request Missing an Accept
Header: This is similar to ACK sent by servers when a protocol receives a
client SYN.In http/s you can force for a accept header and modsecurity is
checking it.

C)ModSecurity is detecting several sql injection bypasses:
REQUEST_COOKIES:OutlookSession. [file
"/usr/share/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
[line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication
bypass attempts 2/3"]

The first 2 warnings are not very important, you could whitelist ip for the
2 first rules:
1)REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1251"] [id "920300"]

2)[msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver
"OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"]
[tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag
"OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"]

I'm not completely sure that computer is clean of malware because of third
error:
REQUEST_COOKIES:OutlookSession. [file
"/usr/share/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
[line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication
bypass attempts 2/3"]

It seems that computer is trying to access OWA  (Outlook web access) and it
seems is masking USER-AGENT and ignoring ACCEPT header that many bots like
Spasm sources ignore many protocol rules.

You could whitelist that ip but I would perform malware analysis,  memory
dump and forensic stuff on that computer.

I recently had to format my computer because it was doing connections and I
wasn't able to detect the source with TCP view (Mark Russinovich great
windows tool), netstat and process explorer.

Regards



El mar., 15 de noviembre de 2016 17:59, kamil kapturkiewicz <horizn at wp.pl>
escribió:

> Hi,
> I have had this issue with previous 2.2.9 version, but I am not really
> sure is related to mod_security it self or to CRS. The problem is with some
> Windows machines, below is the example from one of our corporate user, who
> is working on Windows 7 machine. I am pretty sure machine is not infected
> by malware or something, and this problem occures on FF, Chrome, Opera and
> IE. But in combination with fail2ban, this cut him off from web server
> every time he is trying to access company website. Do
> you guys have any idea what is causing this?
>
> [Tue Nov 15 16:26:41.962933 2016] [:error] [pid 31434] [client
> 213.81.82.201] ModSecurity: Warning. Match of "pm
> AppleWebKit Android" against "REQUEST_HEADERS:User-Agent" required. [file
> "/usr/share/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
> [line "1251"] [id "920300"] [rev "3"] [msg "Request Missing an Accept
> Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"]
> [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag
> "platform-multi"] [tag "attack-protocol"] [tag
> "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag
> "WASCTC/WASC-21"] [tag
> "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "paranoia-level/2"] [hostname "
> domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id
> "WCs3QX8AAQEAAHrKJTMAAAAF"]
> [Tue Nov 15 16:26:41.963976 2016] [:error] [pid 31434] [client
> 213.81.82.201] ModSecurity: Access denied with code 403 (phase 2). Pattern
> match
> "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`])|(?:like\\\\s*?[\\"'`]\\\\%)|(?:[\\"'`]\\\\s*?like\\\\W*?[\\"'`\\\\d])|(?:[\\"'`]\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?h
> ..." at REQUEST_COOKIES:OutlookSession. [file
> "/usr/share/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
> [line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication
> bypass attempts 2/3"] [data "Matched Data: \\x22{BB1B2590-E found within
> REQUEST_COOKIES:OutlookSession:
> \\x22{BB1B2590-EEE9-451E-9ABD-B75491F282EE}\\x22"] [severity "CRITICAL"]
> [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag
> "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
> "attack-sqli"] [tag
> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
> "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag
> "paranoia-level/2"] [hostname "domain.com"] [uri
> "/autodiscover/autodiscover.xml"] [unique_id "WCs3QX8AAQEAAHrKJTMAAAAF"]
> [Tue Nov 15 16:26:44.390517 2016] [:error] [pid 31254] [client
> 213.81.82.201] ModSecurity: Warning. Match of "pm AppleWebKit Android"
> against "REQUEST_HEADERS:User-Agent" required. [file
> "/usr/share/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
> [line "1251"] [id "920300"] [rev "3"] [msg "Request Missing an Accept
> Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"]
> [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag
> "platform-multi"] [tag
> "attack-protocol"] [tag
> "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag
> "paranoia-level/2"] [hostname "domain.com"] [uri
> "/autodiscover/autodiscover.xml"] [unique_id "WCs3RH8AAQEAAHoWjIUAAAAD"]
> [Tue Nov 15 16:26:44.391535 2016] [:error] [pid 31254] [client
> 213.81.82.201] ModSecurity: Access denied with code 403 (phase 2). Pattern
> match
> "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`])|(?:like\\\\s*?[\\"'`]\\\\%)|(?:[\\"'`]\\\\s*?like\\\\W*?[\\"'`\\\\d])|(?:[\\"'`]\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?h
> ..." at REQUEST_COOKIES:OutlookSession. [file
> "/usr/share/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
> [line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication
> bypass attempts 2/3"] [data "Matched Data: \\x22{BB1B2590-E found within
> REQUEST_COOKIES:OutlookSession:
> \\x22{BB1B2590-EEE9-451E-9ABD-B75491F282EE}\\x22"] [severity "CRITICAL"]
> [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag
> "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
> "attack-sqli"] [tag
> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
> "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag
> "paranoia-level/2"] [hostname "domain.com"] [uri
> "/autodiscover/autodiscover.xml"] [unique_id "WCs3RH8AAQEAAHoWjIUAAAAD"]
>
>
>
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20161115/1a86a768/attachment-0001.html>


More information about the Owasp-modsecurity-core-rule-set mailing list