[Owasp-modsecurity-core-rule-set] "Detects chained SQL injection attempts 1/2" in PHPSESSID cookie

Wed, 01 Feb 2012 03:33:08 -0800 

Hi

I'm trying to update to the newest rule set (from a quite old rule set)
and a few things are bugging - the first thought is just to comment out
the rule below, but I would prefer to have the rules as standard as
possible so an update next time is easier...

Message: Access denied with code 403 (phase 2). Pattern match
"(?i:(?:@.+=\s*\(\s*select)|(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|x?or|div|like|between|and|select)\W)|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET
..." at REQUEST_COOKIES:PHPSESSID. [file
"/path/to/modsecurity-crs/current/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "539"] [id "981248"] [msg "Detects chained SQL injection attempts
1/2"] [data "9or"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag
"WEB_ATTACK/ID"]
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/);
core ruleset/2.2.3.

Here is the cookie line from the header - "9or" is the reason for the
block...
Cookie: PHPSESSID=q7dgso9ort42e60o3eq9j997a1

SecRule
REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*
"(?i:(?:@.+=\s*\(\s*select)|(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|x?or|div|like|between|and|select)\W)|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not
|\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*[(\"|'|`|´|’|‘)=()]))"
"phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,block,msg:'Detects
chained SQL injection attempts
1/2',id:'981248',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"

What is recommended to handle such an "error"?

/Anders
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to