Hi List,
my first post here so hope I get it right.
Setting up and testing a site I run in to what I think is a false
positive block, at least it doesn't make sense to me. The hit or hits I
may say as 3 rules seem to be triggered and a 4th as a result there of,
comes from an url item in a css file pointing to a image file. How that
can be judged as an critical web attack and sql injection attempt is
over my head, although I understand there probably exists a logical
explaination... and can it possibly be that these rules should exclude
common image files?
Anyway, here is the related log lines and I hope it's understandable as
there is no way to format it here. I have disguised ip and host names.
[Sat Jan 07 12:55:18 2012] [error] [client 213.xxx.xxx.xxx] ModSecurity:
Warning. Pattern match
"(?i:(?:\\\\d(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)\\\\s+(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)\\\\s+\\\\d)|(?:^admin\\\\s*(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)|(\\\\/\\\\*)+(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)+\\\\s?(?:--|#|\\\\/\\\\*|{)?)|(?:(\\"|'|
..." at REQUEST_FILENAME. [file
"/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "533"] [id "981244"] [msg "Detects basic SQL authentication bypass
attempts 1/3"] [data "div"] [severity "CRITICAL"] [tag
"WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
[hostname "shop.domain.com"] [uri
"/skin/frontend/domain/default/images/bkg_divider1.gif"] [unique_id
"TwhAtsCoAWgAADYlFsAAAAAF"]
[Sat Jan 07 12:55:18 2012] [error] [client 213.xxx.xxx.xxx] ModSecurity:
Warning. Pattern match
"(?i:(?:@.+=\\\\s*\\\\(\\\\s*select)|(?:\\\\d+\\\\s*x?or|div|like|between|and\\\\s*\\\\d+\\\\s*[\\\\-+])|(?:\\\\/\\\\w+;?\\\\s+(?:having|and|x?or|div|like|between|and|select)\\\\W)|(?:\\\\d\\\\s+group\\\\s+by.+\\\\()|(?:(?:;|#|--)\\\\s*(?:drop|alter))|(?:(?:;|#|--)\\\\s*(?:update|insert)\\\\s
..." at REQUEST_FILENAME. [file
"/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "539"] [id "981248"] [msg "Detects chained SQL injection attempts
1/2"] [data "div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag
"WEB_ATTACK/ID"] [hostname "shop.domain.com"] [uri
"/skin/frontend/domain/default/images/bkg_divider1.gif"] [unique_id
"TwhAtsCoAWgAADYlFsAAAAAF"]
[Sat Jan 07 12:55:18 2012] [error] [client 213.xxx.xxx.xxx] ModSecurity:
Warning. Pattern match
"(?i:(?:(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)\\\\s*\\\\*.+(?:x?or|div|like|between|and|id)\\\\W*(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)\\\\d)|(?:\\\\^(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98))|(?:^[\\\\w\\\\s(\\"|'|`|\\xc2\\xb4|\\xe2\\x80\\x99|\\xe2\\x80\\x98)-]+(
..." at REQUEST_FILENAME. [file
"/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "573"] [id "981243"] [msg "Detects classic SQL injection probings
2/2"] [data "div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag
"WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"] [hostname "shop.domain.com"]
[uri "/skin/frontend/domain/default/images/bkg_divider1.gif"] [unique_id
"TwhAtsCoAWgAADYlFsAAAAAF"]
[Sat Jan 07 12:55:18 2012] [error] [client 213.xxx.xxx.xxx] ModSecurity:
Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file
"/etc/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line
"37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
Score: 19, SQLi=, XSS=): 981243-Detects classic SQL injection probings
2/2"] [hostname "shop.domain.com"] [uri
"/skin/frontend/domain/default/images/bkg_divider1.gif"] [unique_id
"TwhAtsCoAWgAADYlFsAAAAAF"]
The css line that triggers looks like this:
.dashboard .box .box-title { background:url(../images/bkg_divider1.gif)
0 100% repeat-x; padding:0 0 2px; margin:0 0 8px; text-align:right; }
Nothing scary really but how can this false positive be avoided? Is it
best to improve the regexp or can well known image files be filtered out
any other way?
TIA,
Joakim
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
