I presume that to upgrade the CRS will probably require an upgrade to ModSecurity as well… or at least a good idea :-)
I'll have to plan a project on that one and work against our DEV box in prep to move to production. Also Ryan, I had sent you a question on the other group in hope you might have some perils of wisdom to share there. Thank you -=Steve From: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>> Date: Tuesday, March 5, 2013 11:25 AM To: Stephen Canell <stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>> Cc: Christian Bockermann <ch...@jwall.org<mailto:ch...@jwall.org>>, Stephen Canell <stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] SQL Injection Also it looks like you are running an old CRS version as the newer ones list the version in the alerts and include more data about matches. Can you upgrade. -- Ryan Barnett On Mar 5, 2013, at 2:21 PM, "Canell, Stephen E (1734)" <stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>> wrote: Thank you Chris… As I looked further at this I came to the same conclusion on the ARG NAME and the data field though didn't quite get the finding in the data field. I'll have to go back and look at the previous section for the complete message. Again, Thank you -=Steve - From: Christian Bockermann <ch...@jwall.org<mailto:ch...@jwall.org>> Date: Tuesday, March 5, 2013 10:57 AM To: Stephen Canell <stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] SQL Injection Hi Steve! Am 05.03.2013 um 19:20 schrieb "Canell, Stephen E (1734)" <stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>: The following in ARGS: is being identified as SQL Injection: TAOP01U10RhvxuuKxxempg01U10monamzy1 Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*(x?or|div|like| between|and)\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\ x98)$)|(?:(?:^[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x ..." at ARGS:TAOP01U10RhvxuuKxxempg01U10monamzy1. [file "/usr/local/apache2/conf /extra/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "565"] [id "981242"] [msg "Detects classic SQL injection pr obings 1/2"] [data "7 Andr"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"] The "TAOP01U10RhvxuuKxxempg01U10monamzy1" string is NOT detected as SQL injection, but simply the name of the PARAMETER that contains the malicious data. The data that triggers your rule is "7 Andr" which you can see in the [data "7 Andr"] part of the rule message. The problem is probably, that the regex of the rule has something like ...|div|like|between|and)\\s*... which says "something with 'and' followed by ANY number of whitespaces". Unfortunately "ANY" also includes 0. So "andr" matches "and" followed by 0 whitespaces and the "r" probably matches some of the rest of the complex regex. I hope that makes sence :-) Best regards, Chris _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
