Re: [Owasp-modsecurity-core-rule-set] Potential false positive?

[Joakim Schramm]

On 07/01/2012 16:58, Ryan Barnett wrote:
Joakim,
Thanks for posting to the list.  You can also open a jira ticket for the CRS 
here - https://www.modsecurity.org/tracker/

Ryan,
Thanks for replying so fast, I will do a report on this once I have all 
my stuff up and running satisfactory. And ops unintentionally repled 
back directly to you, instead of to list.

Looks like we will want to review those SQL Injection rules to tune them a bit 
better.  We added a bunch of rules as a result of the SQLi Challenge results - 
http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html

While these new rules do help to reduce false negatives for SQLi, there seem to 
be a fair amount of false positives.

We can probably look to update the regex as this is triggering on "div". The 
quick fix for you would be to use SecRuleUpdateTargetById to remove REQUEST_FILENAME from 
the list - 
http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html

Ryan


I was able to remove the false positives by putting these lines in a 
file loaded last

SecRuleUpdateTargetById 981244 !REQUEST_FILENAME
SecRuleUpdateTargetById 981248 !REQUEST_FILENAME
SecRuleUpdateTargetById 981243 !REQUEST_FILENAME

But as this opens requests for any filename to be vulnerable I also 
tried with
SecRuleUpdateTargetById 981244 !REQUEST_FILENAME:div
SecRuleUpdateTargetById 981248 !REQUEST_FILENAME:div
SecRuleUpdateTargetById 981243 !REQUEST_FILENAME:div

as the example shows for ARGS as div was what triggered, and

SecRuleUpdateTargetById 981244 !REQUEST_FILENAME:.gif$
SecRuleUpdateTargetById 981248 !REQUEST_FILENAME:.gif$
SecRuleUpdateTargetById 981243 !REQUEST_FILENAME:.gif$

to exclude files ending with .gif, but I probably got these calls wrong 
as regexp isn't my strong side if I say so. Not even sure if I could use 
a regexp there to exclude files with certain extensions? Personally I 
would like to exclude .gif, .png and .jpg as they basically are the only 
ones used for web sites and I can't see any way how requesting an image 
file could cause any harm?

Regards,

Joakim
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set