[Owasp-modsecurity-core-rule-set] False positive on rule 920300

Christian Folini christian.folini at netnea.com
Tue Nov 15 21:38:04 UTC 2016


On Tue, Nov 15, 2016 at 07:53:52PM +0000, Jose Pablo Valcárcel Lázaro wrote:
> Sorry Christian. I didn't look in your tutorial CRS3:
> 
> 152 x 942260 Detects basic SQL authentication bypass attempts 2/3
> -----------------------------------------------------------------
>       # ModSec Rule Exclusion: 942260 : Detects basic SQL authentication
> bypass attempts 2/3
>       SecRule REQUEST_URI "@beginsWith /drupal/index.php/search/node"
> "phase:2,nolog,pass,id:10003,ctl:ruleRemoveTargetById=942260;ARGS:keys"

Nevermind. ;)

And the fact, that my tutorial works with the same rule
is a pure coincidence.

Ahoj,

Christian


> 
> Regards
> 
> El mar., 15 de noviembre de 2016 20:44, Christian Folini <
> christian.folini at netnea.com> escribió:
> 
> > Kamil,
> >
> > Thanks for reporting.
> >
> > You are facing the following alerts:
> >
> > 920300 REQUEST_HEADERS:User-Agent     Request Missing an Accept Header
> > 920300 REQUEST_HEADERS:User-Agent     Request Missing an Accept Header
> > 942260 REQUEST_COOKIES:OutlookSession Detects basic SQL auth bypass
> > 942260 REQUEST_COOKIES:OutlookSession Detects basic SQL auth bypass
> >
> > 920300 is usually legitimate and likely points to a client not sending
> > the accept header like it should. This is a widespread misbehaviour.
> > That is why we pushed the rule to paranoia level 2. You are apparently
> > running PL2 or higher. You should thus tune this alert away via a rule
> > exclusion.
> >
> > The 942260 is likely also legitimate. It's just that your poor client
> > has a session cookie smelling of SQL authentication bypass. You
> > should exclude the said cookie from the list of parameters examined
> > by 942260.
> >
> > My tutorials at https://www.netnea.com/cms/apache-tutorials give
> > you detailed step by step instructions how to do this.
> >
> > Best,
> >
> > Christian
> >
> >
> >
> > On Tue, Nov 15, 2016 at 05:54:52PM +0100, kamil kapturkiewicz wrote:
> > > Hi,
> > > I have had this issue with previous 2.2.9 version, but I am not really
> > sure is related to mod_security it self or to CRS. The problem is with some
> > Windows machines, below is the example from one of our corporate user, who
> > is working on Windows 7 machine. I am pretty sure machine is not infected
> > by malware or something, and this problem occures on FF, Chrome, Opera and
> > IE. But in combination with fail2ban, this cut him off from web server
> > every time he is trying to access company website. Do
> > > you guys have any idea what is causing this?
> > >
> > > [Tue Nov 15 16:26:41.962933 2016] [:error] [pid 31434] [client
> > 213.81.82.201] ModSecurity: Warning. Match of "pm
> > > AppleWebKit Android" against "REQUEST_HEADERS:User-Agent" required.
> > [file
> > "/usr/share/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
> > [line "1251"] [id "920300"] [rev "3"] [msg "Request Missing an Accept
> > Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"]
> > [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag
> > "platform-multi"] [tag "attack-protocol"] [tag
> > "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag
> > "WASCTC/WASC-21"] [tag
> > > "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "paranoia-level/2"] [hostname
> > "domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id
> > "WCs3QX8AAQEAAHrKJTMAAAAF"]
> > > [Tue Nov 15 16:26:41.963976 2016] [:error] [pid 31434] [client
> > 213.81.82.201] ModSecurity: Access denied with code 403 (phase 2). Pattern
> > match
> > "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`])|(?:like\\\\s*?[\\"'`]\\\\%)|(?:[\\"'`]\\\\s*?like\\\\W*?[\\"'`\\\\d])|(?:[\\"'`]\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?h
> > ..." at REQUEST_COOKIES:OutlookSession. [file
> > >
> > "/usr/share/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
> > [line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication
> > bypass attempts 2/3"] [data "Matched Data: \\x22{BB1B2590-E found within
> > REQUEST_COOKIES:OutlookSession:
> > \\x22{BB1B2590-EEE9-451E-9ABD-B75491F282EE}\\x22"] [severity "CRITICAL"]
> > [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag
> > "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
> > "attack-sqli"] [tag
> > > "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
> > "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag
> > "paranoia-level/2"] [hostname "domain.com"] [uri
> > "/autodiscover/autodiscover.xml"] [unique_id "WCs3QX8AAQEAAHrKJTMAAAAF"]
> > > [Tue Nov 15 16:26:44.390517 2016] [:error] [pid 31254] [client
> > 213.81.82.201] ModSecurity: Warning. Match of "pm AppleWebKit Android"
> > against "REQUEST_HEADERS:User-Agent" required. [file
> > "/usr/share/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
> > [line "1251"] [id "920300"] [rev "3"] [msg "Request Missing an Accept
> > Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"]
> > [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag
> > "platform-multi"] [tag
> > > "attack-protocol"] [tag
> > "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag
> > "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag
> > "paranoia-level/2"] [hostname "domain.com"] [uri
> > "/autodiscover/autodiscover.xml"] [unique_id "WCs3RH8AAQEAAHoWjIUAAAAD"]
> > > [Tue Nov 15 16:26:44.391535 2016] [:error] [pid 31254] [client
> > 213.81.82.201] ModSecurity: Access denied with code 403 (phase 2). Pattern
> > match
> > "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`])|(?:like\\\\s*?[\\"'`]\\\\%)|(?:[\\"'`]\\\\s*?like\\\\W*?[\\"'`\\\\d])|(?:[\\"'`]\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?h
> > ..." at REQUEST_COOKIES:OutlookSession. [file
> > >
> > "/usr/share/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
> > [line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication
> > bypass attempts 2/3"] [data "Matched Data: \\x22{BB1B2590-E found within
> > REQUEST_COOKIES:OutlookSession:
> > \\x22{BB1B2590-EEE9-451E-9ABD-B75491F282EE}\\x22"] [severity "CRITICAL"]
> > [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag
> > "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
> > "attack-sqli"] [tag
> > > "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
> > "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag
> > "paranoia-level/2"] [hostname "domain.com"] [uri
> > "/autodiscover/autodiscover.xml"] [unique_id "WCs3RH8AAQEAAHoWjIUAAAAD"]
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Owasp-modsecurity-core-rule-set mailing list
> > > Owasp-modsecurity-core-rule-set at lists.owasp.org
> > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> > _______________________________________________
> > Owasp-modsecurity-core-rule-set mailing list
> > Owasp-modsecurity-core-rule-set at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> >

> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set



More information about the Owasp-modsecurity-core-rule-set mailing list