Just tried 2.2.2, still complaining:
--6e29976e-A--
[12/Sep/2011:22:20:57 +0200] Tm5pqH8AAQEAAD7NK34AAAAL 192.168.255.126
39065 x.x.x.x 443
--6e29976e-B--
GET
/?_task=mail&_remote=1&_action=check-recent&_t=1315858856789&_mbox=INBOX&_list=1&_=1315858856790&_unlock=0
HTTP/1.1
Host: example.com
Connection: keep-alive
Referer: https://example.com/?_task=mail
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 (KHTML, like
Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
X-Roundcube-Request: 0f3bcbcd36d0e4e2c4eab5f23ccfc971
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mailviewsplitterv=165;
wp-settings-1=editor%3Dtinymce%26m4%3Do%26m0%3Do%26uploader%3D1;
wp-settings-time-1=1314128296;
roundcube_sessid=1b7ae7d350aca9dcc89493a63a2dbd24
--6e29976e-F--
HTTP/1.1 200 OK
Expires: Mon, 12 Sep 2011 20:20:57 GMT
Cache-Control: private, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 20:20:57 GMT
X-DNS-Prefetch-Control: off
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 96
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain; charset=UTF-8
--6e29976e-H--
Message: Pattern match
"([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*){6,}"
at REQUEST_COOKIES:wp-settings-1. [file
"/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "521"] [id "981172"] [rev "2.2.2"] [msg "Restricted SQL Character
Anomaly Detection Alert - Total # of special characters exceeded"] [data
"=1"]
Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score.
[file
"/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_60_correlation.conf"]
[line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound
Score: 3, SQLi=1, XSS=): Restricted SQL Character Anomaly Detection
Alert - Total # of special characters exceeded"]
Stopwatch: 1315858856891692 385196 (- - -)
Stopwatch2: 1315858856891692 385196; combined=80816, p1=844, p2=79444,
p3=11, p4=197, p5=317, sr=305, sw=3, l=0, gc=0
Producer: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/);
core ruleset/2.2.2.
Server: Apache/2.2.14 (Ubuntu)
--6e29976e-Z--
/Thomas
On 2011-09-02 18:48, Ryan Barnett wrote:
> Can you try the SVN trunk version (v2.2.2)?
>
> http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_
> rules/modsecurity_crs_41_sql_injection_attacks.conf
>
> I tried your complete transaction and the same category of check triggered
> for a Cookie value -
>
> [Fri Sep 02 12:41:07 2011] [error] [client 127.0.0.1] ModSecurity:
> Warning. Pattern match
> "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\
> \\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\
> \\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*){6,}" at
> REQUEST_COOKIES:wp-settings-1. [file
> "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_41_sql_injectio
> n_attacks.conf"] [line "521"] [id "981172"] [rev "2.2.2"] [msg "Restricted
> SQL Character Anomaly Detection Alert - Total # of special characters
> exceeded"] [data "=1"] [hostname "example.com"] [uri "/"] [unique_id
> "TmEHIcCoqAEAALzcEnkAAAAI"
>
>
>
> That wp-settings-1 cookie payload decodes to -
>
> wp-settings-1=editor=tinymce&m4=o&m0=o&uploader=1
>
> And the rule triggered on having a bunck of = and& chars in it.
>
> -Ryan
>
>
> On 9/2/11 10:27 AM, "Thomas D. Dahlmann"<[email protected]> wrote:
>
>> Hi
>>
>> I've got the bellow shown exception when I try to hit my webmail site.
>>
>> What kind of "bad" characters is the rule complaining about in this
>> request?
>>
>>
>> --63235740-A--
>> [02/Sep/2011:15:59:55 +0200] TmDhWX8AAQEAAClL2qkAAAAJ x.x.x.x 28681
>> 2.2.2.2 443
>> --63235740-B--
>> GET
>> /?_task=mail&_remote=1&_action=list&_mbox=RoundCube&_page=1&_refresh=1&_=1
>> 314971993364&_unlock=loading1314971993363
>> HTTP/1.1
>> Host: example.com
>> Connection: keep-alive
>> Referer: https://example.com/
>> X-Requested-With: XMLHttpRequest
>> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML,
>> like Gecko) Chrome/13.0.782.215 Safari/535.1
>> Accept: application/json, text/javascript, */*; q=0.01
>> X-Roundcube-Request: b7aa8fc451317a76730a72f69fbb3e9e
>> Accept-Encoding: gzip,deflate,sdch
>> Accept-Language: en-US,en;q=0.8
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
>> Cookie: addressviewsplitter=250; prefsviewsplitter=195;
>> identviewsplitter=300; mailviewsplitter=291; sieverulesviewsplitter=245;
>> wp-settings-1=editor%3Dtinymce%26m4%3Do%26m0%3Do%26uploader%3D1;
>> wp-settings-time-1=1308940613; mailviewsplitterv=165;
>> roundcube_sessid=27cd4d0e05639619d9fa8684a6401300
>>
>> --63235740-F--
>> HTTP/1.1 200 OK
>> Expires: Fri, 02 Sep 2011 13:59:55 GMT
>> Cache-Control: private, no-cache, must-revalidate, post-check=0,
>> pre-check=0
>> Pragma: no-cache
>> Last-Modified: Fri, 02 Sep 2011 13:59:55 GMT
>> X-DNS-Prefetch-Control: off
>> Vary: Accept-Encoding
>> Content-Encoding: gzip
>> Content-Length: 1983
>> Keep-Alive: timeout=15, max=91
>> Connection: Keep-Alive
>> Content-Type: text/plain; charset=UTF-8
>>
>> --63235740-H--
>> Message: Operator GE matched 4 at TX:restricted_sqli_char_count. [file
>> "/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_41_sql_injec
>> tion_attacks.conf"]
>> [line "551"] [id "981173"] [rev "2.2.1"] [msg "Restricted SQL Character
>> Anomaly Detection Alert - Total # of special characters exceeded"] [data
>> "4"]
>> Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score.
>> [file
>> "/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_60_correlati
>> on.conf"]
>> [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound
>> Score: 3, SQLi=5, XSS=): Restricted SQL Character Anomaly Detection
>> Alert - Total # of special characters exceeded"]
>> Stopwatch: 1314971993379011 2207359 (- - -)
>> Stopwatch2: 1314971993379011 2207359; combined=125219, p1=1234,
>> p2=123185, p3=109, p4=385, p5=303, sr=387, sw=3, l=0, gc=0
>> Producer: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/);
>> core ruleset/2.2.1.
>> Server: Apache/2.2.14 (Ubuntu)
>>
>> --63235740-Z--
>>
>>
>> /Thomas
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> [email protected]
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>>
>
> This transmission may contain information that is privileged, confidential,
> and/or exempt from disclosure under applicable law. If you are not the
> intended recipient, you are hereby notified that any disclosure, copying,
> distribution, or use of the information contained herein (including any
> reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
> in error, please immediately contact the sender and destroy the material in
> its entirety, whether in electronic or hard copy format.
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
