[Owasp-modsecurity-core-rule-set] Odp: Re: False positive on rule 920300

kamil kapturkiewicz horizn at wp.pl
Wed Nov 16 14:34:28 UTC 2016


Thanks Christian, and your tutorials are very helpful.

Dnia Wtorek, 15 Listopada 2016 20:40 Christian Folini <christian.folini at netnea.com> napisał(a) 
> Kamil,
> 
> Thanks for reporting.
> 
> You are facing the following alerts:
> 
> 920300 REQUEST_HEADERS:User-Agent     Request Missing an Accept Header
> 920300 REQUEST_HEADERS:User-Agent     Request Missing an Accept Header
> 942260 REQUEST_COOKIES:OutlookSession Detects basic SQL auth bypass
> 942260 REQUEST_COOKIES:OutlookSession Detects basic SQL auth bypass
> 
> 920300 is usually legitimate and likely points to a client not sending
> the accept header like it should. This is a widespread misbehaviour.
> That is why we pushed the rule to paranoia level 2. You are apparently
> running PL2 or higher. You should thus tune this alert away via a rule
> exclusion.
> 
> The 942260 is likely also legitimate. It's just that your poor client
> has a session cookie smelling of SQL authentication bypass. You
> should exclude the said cookie from the list of parameters examined
> by 942260.
> 
> My tutorials at https://www.netnea.com/cms/apache-tutorials give 
> you detailed step by step instructions how to do this.
> 
> Best,
> 
> Christian
> 
> 





More information about the Owasp-modsecurity-core-rule-set mailing list