Re: [Owasp-modsecurity-core-rule-set] Why is rule 981318 triggering?

Thu, 23 Aug 2012 14:31:13 -0700 

Heem

i am sorry, but speak english, please.

Thks

2012/8/23, Christian Bockermann <ch...@jwall.org>:
> Hi Christian,
>
> kannst Du mal den vollständigen Request bzw. das AuditEvent dazu schicken?
> Könnte es ggf sein, dass der Browser das Zeichen nicht URL-encoded sondern
> irgendwie anders geschickt hat, und die "urlDecodeUni" Transformation dann
> etwas daraus macht, was bei der Rule hängen bleibt?
>
> Ich würde mir das gerne mal genauer anschauen, allerdings bräuchte ich dazu
> am besten das Event (bitte vorher etwaige private Daten wie Session-ID, IP
> usw. entfernen).
>
> Gruß,
>    Chris
>
>
> Am 23.08.2012 um 15:34 schrieb Christian Klossek
> <c.klos...@apodiscounter.de>:
>
>> Hi,
>>
>> I'm using modsecurity 2.6.7 with CRS 2.2.5 on a debian squeeze system.
>>
>> Why is the rule 981318 triggering on a GET-param with a value of "ę"
>> (Unicode U+0119)?
>>
>> I get this in my debug log (debug level 9):
>> -------------------------------------
>> SecRule
>> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*"
>> "@rx
>> (^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
>> "phase:2,nolog,auditlog,rev:2.2.5,capture,t:none,t:urlDecodeUni,block,msg:'SQL
>> Injection Attack: Common Injection Testing
>> Detected',id:981318,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
>>
>> Expanded
>> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*"
>> to "REQUEST_FILENAME|ARGS_NAMES:keywords|ARGS:keywords".
>>
>> T (0) urlDecodeUni: "/test.php"
>> Transformation completed in 13 usec.
>> Executing operator "rx" with param
>> "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
>> against REQUEST_FILENAME.
>> Target value: "/test.php"
>> Operator completed in 9 usec.
>>
>> T (0) urlDecodeUni: "keywords"
>> Transformation completed in 13 usec.
>> Executing operator "rx" with param
>> "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
>> against ARGS_NAMES:keywords.
>> Target value: "keywords"
>> Operator completed in 4 usec.
>>
>> T (0) urlDecodeUni: "\xc4\x99"
>> Transformation completed in 14 usec.
>> Executing operator "rx" with param
>> "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
>> against ARGS:keywords.
>> Target value: "\xc4\x99"
>> Added regex subexpression to TX.0: \x99
>> Added regex subexpression to TX.1: \x99
>> Operator completed in 38 usec.
>> Setting variable: tx.msg=%{rule.msg}
>> Resolved macro %{rule.msg} to: SQL Injection Attack: Common Injection
>> Testing Detected
>> ..
>> ..
>> -------------------------------------------
>>
>> Thanks for your help
>>
>> Christian
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>

-- 
Inviato dal mio dispositivo mobile
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to