I am guessing that rule is counting the number of '&'s in the URI. Have had the same issue. -- Thanks, OS ----- Original Message -----
From: "Thomas D. Dahlmann" <[email protected]> To: [email protected] Sent: Friday, 2 September, 2011 3:27:51 PM Subject: [Owasp-modsecurity-core-rule-set] Restricted SQL Character Anomaly Detection Alert and Roundcube mail Hi I've got the bellow shown exception when I try to hit my webmail site. What kind of "bad" characters is the rule complaining about in this request? --63235740-A-- [02/Sep/2011:15:59:55 +0200] TmDhWX8AAQEAAClL2qkAAAAJ x.x.x.x 28681 2.2.2.2 443 --63235740-B-- GET /?_task=mail&_remote=1&_action=list&_mbox=RoundCube&_page=1&_refresh=1&_=1314971993364&_unlock=loading1314971993363 HTTP/1.1 Host: example.com Connection: keep-alive Referer: https://example.com/ X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.215 Safari/535.1 Accept: application/json, text/javascript, */*; q=0.01 X-Roundcube-Request: b7aa8fc451317a76730a72f69fbb3e9e Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: addressviewsplitter=250; prefsviewsplitter=195; identviewsplitter=300; mailviewsplitter=291; sieverulesviewsplitter=245; wp-settings-1=editor%3Dtinymce%26m4%3Do%26m0%3Do%26uploader%3D1; wp-settings-time-1=1308940613; mailviewsplitterv=165; roundcube_sessid=27cd4d0e05639619d9fa8684a6401300 --63235740-F-- HTTP/1.1 200 OK Expires: Fri, 02 Sep 2011 13:59:55 GMT Cache-Control: private, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Fri, 02 Sep 2011 13:59:55 GMT X-DNS-Prefetch-Control: off Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 1983 Keep-Alive: timeout=15, max=91 Connection: Keep-Alive Content-Type: text/plain; charset=UTF-8 --63235740-H-- Message: Operator GE matched 4 at TX:restricted_sqli_char_count. [file "/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "551"] [id "981173"] [rev "2.2.1"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "4"] Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=5, XSS=): Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] Stopwatch: 1314971993379011 2207359 (- - -) Stopwatch2: 1314971993379011 2207359; combined=125219, p1=1234, p2=123185, p3=109, p4=385, p5=303, sr=387, sw=3, l=0, gc=0 Producer: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/); core ruleset/2.2.1. Server: Apache/2.2.14 (Ubuntu) --63235740-Z-- /Thomas _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
