Hi Thank you that work excellent :) :)
Now when i try connect with Facebook It's block 'false positive' log: *--be2b2979-H--* *Message: Access denied with code 403 (phase 2). Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS:code. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:code: AQAZzUllyzvnMFeI1YdJ7btTKpmdrAZ3VS-n5iyorHDhHpSzG6gpoRuEnzi9nNpX4RY8XP1O8W3WOea-4NjU0r4S1QkiCKwpCea-smSIVe2WxCTEIu4eN7S4YVSENbyes9tTF_dt890NN64DhShsI72t5fusquL_iK7SIfEo03eaYNxIIn0IGAyY0l2IMUusVd24RFBiPKowLjRJrXC4NL02Ine0VJU0Nm57anPrK6gsuzMZG41hHbtWiqsyPtRusewjOOUmTMk0OTrXtm67sOUpCW7emT5gUsGKPlJy_efQ-Q5QTgpl0xcwOffuu4ATeBA"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]* *Action: Intercepted (phase 2)* *Apache-Handler: proxy-server* *Stopwatch: 1403881875314702 2150 (- - -)* *Stopwatch2: 1403881875314702 2150; combined=1886, p1=90, p2=1793, p3=0, p4=0, p5=3, sr=26, sw=0, l=0, gc=0* *Response-Body-Transformed: Dechunked* *Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/ <http://www.modsecurity.org/>); OWASP_CRS/2.2.9. <http://2.2.9.>* *Server: Apache* *Engine-Mode: "ENABLED"* I can use SecRuleUpdateTargetById 960024 !ARGS:/^code/ OR it's dangerous ? 2014-06-27 16:08 GMT+01:00 Jamie Riden <jamie.ri...@gmail.com>: > Would > > SecRuleUpdateTargetById 960024 !ARGS:/^telfaxmailweb/ > > be better in this instance? (ie. anchor the start of line.) > > cheers, > Jamie > > On 27 June 2014 15:57, Josh Amishav-Zlatin <jam...@owasp.org> wrote: > > On Fri, Jun 27, 2014 at 5:41 PM, Ilyass Kaouam <ilyassi...@gmail.com> > wrote: > >> > >> hi thank you for your replay > >> BUT the problem is that the number telfaxmailweb_1_171833 / > >> telfaxmailweb_1_142609 .... changes (non-static). > >> have you an idea > >> > > > > Hi Ilyass, > > > > Try using a regex in your exception, e.g.: > > SecRuleUpdateTargetById 960024 !ARGS:/telfaxmailweb/ > > > > -- > > - Josh > > > >> > >> thank you > >> > >> > >> 2014-06-27 8:04 GMT+01:00 Josh Amishav-Zlatin <jam...@owasp.org>: > >> > >>> On Thu, Jun 26, 2014 at 5:43 PM, Ilyass Kaouam <ilyassi...@gmail.com> > >>> wrote: > >>>> > >>>> Hi Josh. > >>>> > >>>> It's work very good thank you :) :) :) > >>>> > >>>> I have another block :( please help me > >>> > >>> > >>> Hi Ilyass, > >>> > >>> In this case there is a hyphen in the telfaxmailweb_1_171833 parameter > >>> value. Try using the SecRuleUpdateTargetById directive, e.g. > >>> SecRuleUpdateTargetById 960024 !ARGS:telfaxmailweb_1_171833 > >>> > >>> For details see: > >>> > >>> > http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html > >>> > >>> -- > >>> - Josh > >>> > >>>> > >>>> log: > >>>> > >>>> > >>>> > >>>> --9b18757a-A-- > >>>> > >>>> [26/Jun/2014:16:35:15 +0200] U6wvo38AAAEAAFCgA4AAAAAK > >>>> > >>>> --9b18757a-B-- > >>>> > >>>> POST /beta/societe-contribEnt HTTP/1.1 > >>>> > >>>> Host: www. > >>>> > >>>> xxxx > >>>> . > >>>> xxx > >>>> > >>>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) > >>>> Gecko/20100101 Firefox/30.0 > >>>> > >>>> Accept: */* > >>>> > >>>> Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 > >>>> > >>>> Accept-Encoding: gzip, deflate > >>>> > >>>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > >>>> > >>>> X-Requested-With: XMLHttpRequest > >>>> > >>>> Referer: http://www. > >>>> > >>>> xxxx > >>>> .ma/beta/ > >>>> xxxxx > >>>> ?action=edit > >>>> > >>>> Content-Length: 1735 > >>>> > >>>> Cookie: JSESSIONID=2A3D8D47FE45427E1AAFC69A2FA48F7B; > >>>> __utma=111125463.1234468951.1403792976.1403792976.1403792976.1; > >>>> __utmb=111125463.7.10.1403792976; __utmc=111125463; > >>>> > __utmz=111125463.1403792976.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) > >>>> > >>>> Connection: keep-alive > >>>> > >>>> Pragma: no-cache > >>>> > >>>> Cache-Control: no-cache > >>>> > >>>> > >>>> --9b18757a-C-- > >>>> > >>>> > >>>> > codeAction=1&entid=151549&bilid=148614&idMkt=1628&denomination=INFORISK&denomination_dirty=&entrc=135529&entrc_dirty=&tribunal=12&tribunal_dirty=&fmj=Soci%C3%A9t%C3%A9+Anonyme&fmj_dirty=&capital=12+650+000+Dirhams&capital_dirty=&adresse=43%2C+Boulevard+D'anfa&adresse_dirty=&ville=1488&ville_dirty=&activite=+Collecte%2C+traitement+et+vente+des+informations+financi%C3%A8res%2C+l%C3%A9gales+et+commerciales&activite_dirty=&effectif_dirty=&effectif=30&segmentEffectif_dirty=&segmentEffectif=2&effectifCadre_dirty=&effectifCadre=0&telfaxmailweb_1_171833_dirty=&telfaxmailweb_1_171833=05-22-27-64-10&telfaxmailweb_1_142609_dirty=&telfaxmailweb_1_142609=05-22-42-90-87&telfaxmailweb_1_0_2_dirty=&telfaxmailweb_1_0_2=__-__-__-__-__&telfaxmailweb_1_0_3_dirty=&telfaxmailweb_1_0_3=__-__-__-__-__&telfaxmailweb_2_142611_dirty=&telfaxmailweb_2_142611=05-22-27-64-16&telfaxmailweb_2_0_1_dirty=&telfaxmailweb_2_0_1=__-__-__-__-__&telfaxmailweb_2_0_2_dirty=&telfaxmailweb_2_0_2=__-__-__-__-__&telfaxmailweb_2_0_3_dirty=&telfaxmailweb_2_0_3=__-__-__-__-__&telfaxmailweb_3_142612_dirty=&telfaxmailweb_3_142612=info% > 40inforisk.ma > &telfaxmailweb_3_0_1_dirty=&telfaxmailweb_3_0_1=&telfaxmailweb_3_0_2_dirty=&telfaxmailweb_3_0_2=&telfaxmailweb_3_0_3_dirty=&telfaxmailweb_3_0_3=&telfaxmailweb_4_142608_dirty=&telfaxmailweb_4_142608= > www.inforisk.ma > &telfaxmailweb_4_0_1_dirty=&telfaxmailweb_4_0_1=&telfaxmailweb_4_0_2_dirty=&telfaxmailweb_4_0_2=&telfaxmailweb_4_0_3_dirty=&telfaxmailweb_4_0_3=&idMktRefTypeContact_31241_dirty=&idMktRefTypeContact_31241=1&nom_31241=Ayouch&nom_31241_dirty=&prenom_31241=Khalid&prenom_31241_dirty=&tel_31241=__-__-__-__-__&tel_31241_dirty=&email_31241=test% > 40gmail.com&email_31241_dirty=1&contact_31241=1&contact_31241_dirty=1 > >>>> > >>>> --9b18757a-F-- > >>>> > >>>> HTTP/1.1 403 Forbidden > >>>> > >>>> Content-Length: 225 > >>>> > >>>> Connection: close > >>>> > >>>> Content-Type: text/html; charset=iso-8859-1 > >>>> > >>>> > >>>> --9b18757a-E-- > >>>> > >>>> > >>>> --9b18757a-H-- > >>>> > >>>> Message: Access denied with code 403 (phase 2). Pattern match > >>>> > "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" > >>>> at ARGS:telfaxmailweb_1_171833. [file > >>>> > "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > >>>> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character > Anomaly > >>>> Detection Alert - Total # of special characters exceeded"] [data > "Matched > >>>> Data: - found within ARGS:telfaxmailweb_1_171833: 05-22-27-64-10"] > [ver > >>>> "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag > >>>> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] > >>>> > >>>> Action: Intercepted (phase 2) > >>>> > >>>> Apache-Handler: proxy-server > >>>> > >>>> Stopwatch: 1403793315275899 22265 (- - -) > >>>> > >>>> Stopwatch2: 1403793315275899 22265; combined=9584, p1=187, p2=9377, > >>>> p3=0, p4=0, p5=20, sr=28, sw=0, l=0, gc=0 > >>>> > >>>> Response-Body-Transformed: Dechunked > >>>> > >>>> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); > >>>> OWASP_CRS/2.2.9. > >>>> > >>>> Server: Apache > >>>> > >>>> Engine-Mode: "ENABLED" > >>>> > >>>> > >>>> --9b18757a-Z-- > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> 2014-06-26 13:44 GMT+01:00 Josh Amishav-Zlatin <jam...@owasp.org>: > >>>> > >>>>> On Thu, Jun 26, 2014 at 3:19 PM, Ilyass Kaouam <ilyassi...@gmail.com > > > >>>>> wrote: > >>>>>> > >>>>>> Hi guys. > >>>>>> > >>>>>> I not understand why modsecurity blocking my request with the > >>>>>> character "à" in french. > >>>>>> log: > >>>>> > >>>>> > >>>>> Hi Ilyass, > >>>>> > >>>>> Take a look at the SecUnicodeCodePage and SecUnicodeMapFile > directives. > >>>>> For more information see: > >>>>> > >>>>> http://blog.spiderlabs.com/2012/08/waf-normalization-and-i18n.html > >>>>> > >>>>> -- > >>>>> - Josh > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>> > >>>>>> > >>>>>> --169a1612-A-- > >>>>>> > >>>>>> [26/Jun/2014:11:48:57 +0200] U6vsiX8AAAEAAEkNI7cAAAAQ > >>>>>> > >>>>>> --169a1612-B-- > >>>>>> > >>>>>> POST /beta/societe-xxxxxr HTTP/1.1 > >>>>>> > >>>>>> Host: www.xxxx.xx > >>>>>> > >>>>>> User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) > >>>>>> Gecko/20100101 Firefox/30.0 > >>>>>> > >>>>>> Accept: */* > >>>>>> > >>>>>> Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 > >>>>>> > >>>>>> Accept-Encoding: gzip, deflate > >>>>>> > >>>>>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > >>>>>> > >>>>>> X-Requested-With: XMLHttpRequest > >>>>>> > >>>>>> Referer: http://www.xxx.xxx/beta/societe-xxxx > >>>>>> > >>>>>> Content-Length: 760 > >>>>>> > >>>>>> Cookie: JSESSIONID=DC9410B3998A7E973EDBA0ED638F5B40; > >>>>>> __utma=111125463.1374472637.1403014671.1403719512.1403772965.34; > >>>>>> > __utmz=111125463.1403435014.17.3.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); > >>>>>> __utmb=111125463.24.10.1403772965; __utmc=111125463; > >>>>>> JSESSIONID=EB7E51CFBA0B811E9335731DA6A26A08 > >>>>>> > >>>>>> Connection: keep-alive > >>>>>> > >>>>>> Pragma: no-cache > >>>>>> > >>>>>> Cache-Control: no-cache > >>>>>> > >>>>>> > >>>>>> --169a1612-C-- > >>>>>> > >>>>>> > >>>>>> > codeAction=1&entid=367928&bilid=321761&idMkt=672&denomination=&capital=10+000+&activite=PRODUCTION+DES+FILMS+CINEMATOGRAPHIQUES+ET+AUDIOVISEUL&effectif=0&effectifCadre=0&segmentEffectif=1&dateContribution=17%2F08%2F13+%C3%A0+15%3A41&loginUser=nabilchant% > 40hotmail.fr&emailUser=nabilchant%40hotmail.fr > &id=672&denomination_validator=&rc_validator=&tribunal_validator=&fmj_validator=&capital_validator=&adresse_validator=&ville_validator=&activite_validator=&effectif_validator=&segmentEffectif_validator=&effectifCadre_validator=&telfaxmailweb_734=on&telfaxmailweb_734_validator=1&data_734=0610357910&type_734=1&idMktTelfaxmailweb_734=0&telfaxmailweb_735=on&telfaxmailweb_735_validator=1&data_735=0633327850&type_735=1&idMktTelfaxmailweb_735=0&statut=1&remarque= > >>>>>> > >>>>>> --169a1612-F-- > >>>>>> > >>>>>> HTTP/1.1 403 Forbidden > >>>>>> > >>>>>> Content-Length: 245 > >>>>>> > >>>>>> Connection: close > >>>>>> > >>>>>> Content-Type: text/html; charset=iso-8859-1 > >>>>>> > >>>>>> > >>>>>> --169a1612-E-- > >>>>>> > >>>>>> > >>>>>> --169a1612-H-- > >>>>>> > >>>>>> Message: Access denied with code 403 (phase 2). Pattern match > >>>>>> "\\W{4,}" at ARGS:dateContribution. [file > >>>>>> > "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] > >>>>>> [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly > Detection > >>>>>> Alert - Repetative Non-Word Characters"] [data "Matched Data: > \xc3\xa0 > >>>>>> found within ARGS:dateContribution: 17/08/13 \xc3\xa0 15:41"] [ver > >>>>>> "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] > >>>>>> > >>>>>> Action: Intercepted (phase 2) > >>>>>> > >>>>>> Apache-Handler: proxy-server > >>>>>> > >>>>>> Stopwatch: 1403776137380257 11043 (- - -) > >>>>>> > >>>>>> Stopwatch2: 1403776137380257 11043; combined=642, p1=224, p2=399, > >>>>>> p3=0, p4=0, p5=19, sr=37, sw=0, l=0, gc=0 > >>>>>> > >>>>>> Response-Body-Transformed: Dechunked > >>>>>> > >>>>>> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/ > ); > >>>>>> OWASP_CRS/2.2.9. > >>>>>> > >>>>>> Server: Apache > >>>>>> > >>>>>> Engine-Mode: "ENABLED" > >>>>>> > >>>>>> > >>>>>> --169a1612-Z-- > >>>>>> > >>>>>> > >>>>>> how to allow these types of characters. > >>>>>> > >>>>>> thank you. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> Owasp-modsecurity-core-rule-set mailing list > >>>>>> Owasp-modsecurity-core-rule-set@lists.owasp.org > >>>>>> > >>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >>>>>> > >>>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> Ilyass kaouam > >>>> Systems administrator at Inforisk Group Finaccess > >>>> European Masters in Information Technology > >>>> Portable : (212) 6 34 57 14 36 > >>>> http://www.inforisk.ma > >>> > >>> > >> > >> > >> > >> -- > >> Ilyass kaouam > >> Systems administrator at Inforisk Group Finaccess > >> European Masters in Information Technology > >> Portable : (212) 6 34 57 14 36 > >> http://www.inforisk.ma > > > > > > > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > > > > -- > Jamie Riden / ja...@honeynet.org / jamie.ri...@gmail.com > http://uk.linkedin.com/in/jamieriden > -- *Ilyass kaouam* *Systems administrator* * at Inforisk Group Finaccess * *European Masters in Information Technology* *Portable : (212) * *6 34 57 14 36**http://www.inforisk.ma <http://www.inforisk.ma>*
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set