Hi Ryan,
It's work.
Thank you.
2014-06-27 16:41 GMT+01:00 Ryan Barnett <ryan.barn...@owasp.org>:
> This is what I recommend in these cases -
>
> 1. Create a positive security/input validation check against the
> parameter that is causing the false positive. In this case it is the "code"
> parameter. If it matches the expected input format, then move to step 2.
> 2. Then use the "ctl:ruleRemoveTargetById" action to conditionally
> remove ARGS:code from inspection for rule 981173
>
> The rule would look something like this (not tested)
>
> SecRule ARGS:code "@rx ^[a-zA-z0-9\-_]+$"
> "phase:request,id:12345,nolog,pass,ctl:ruleRemoveTargetById=981173;ARGS:code"
>
> Place this rule in a modsecurity_crs_00_custom.conf file so that it runs
> BEFORE the normal CRS rules.
>
> In general, this approach is more secure than just simply removing a
> variable from inspection when you encounter a false positive.
>
> -Ryan
>
> From: Ilyass Kaouam <ilyassi...@gmail.com>
> Reply-To: <ilyassi...@gmail.com>
> Date: Friday, June 27, 2014 11:21 AM
> To: Jamie Riden <jamie.ri...@gmail.com>
> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org" <
> owasp-modsecurity-core-rule-set@lists.owasp.org>
> Subject: Re: [Owasp-modsecurity-core-rule-set] Problème with False
> Positives
>
> Hi
>
> Thank you that work excellent :) :)
>
> Now when i try connect with Facebook It's block 'false positive'
>
> log:
>
> *--be2b2979-H--*
>
> *Message: Access denied with code 403 (phase 2). Pattern match
> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
> at ARGS:code. [file
> "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly
> Detection Alert - Total # of special characters exceeded"] [data "Matched
> Data: - found within ARGS:code:
> AQAZzUllyzvnMFeI1YdJ7btTKpmdrAZ3VS-n5iyorHDhHpSzG6gpoRuEnzi9nNpX4RY8XP1O8W3WOea-4NjU0r4S1QkiCKwpCea-smSIVe2WxCTEIu4eN7S4YVSENbyes9tTF_dt890NN64DhShsI72t5fusquL_iK7SIfEo03eaYNxIIn0IGAyY0l2IMUusVd24RFBiPKowLjRJrXC4NL02Ine0VJU0Nm57anPrK6gsuzMZG41hHbtWiqsyPtRusewjOOUmTMk0OTrXtm67sOUpCW7emT5gUsGKPlJy_efQ-Q5QTgpl0xcwOffuu4ATeBA"]
> [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]*
>
> *Action: Intercepted (phase 2)*
>
> *Apache-Handler: proxy-server*
>
> *Stopwatch: 1403881875314702 2150 (- - -)*
>
> *Stopwatch2: 1403881875314702 2150; combined=1886, p1=90, p2=1793, p3=0,
> p4=0, p5=3, sr=26, sw=0, l=0, gc=0*
>
> *Response-Body-Transformed: Dechunked*
>
> *Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/
> <http://www.modsecurity.org/>); OWASP_CRS/2.2.9. <http://2.2.9.>*
>
> *Server: Apache*
>
> *Engine-Mode: "ENABLED"*
>
> I can use
> SecRuleUpdateTargetById 960024 !ARGS:/^code/
>
> OR it's dangerous ?
>
>
>
>
> 2014-06-27 16:08 GMT+01:00 Jamie Riden <jamie.ri...@gmail.com>:
>
>> Would
>>
>> SecRuleUpdateTargetById 960024 !ARGS:/^telfaxmailweb/
>>
>> be better in this instance? (ie. anchor the start of line.)
>>
>> cheers,
>> Jamie
>>
>> On 27 June 2014 15:57, Josh Amishav-Zlatin <jam...@owasp.org> wrote:
>> > On Fri, Jun 27, 2014 at 5:41 PM, Ilyass Kaouam <ilyassi...@gmail.com>
>> wrote:
>> >>
>> >> hi thank you for your replay
>> >> BUT the problem is that the number telfaxmailweb_1_171833 /
>> >> telfaxmailweb_1_142609 .... changes (non-static).
>> >> have you an idea
>> >>
>> >
>> > Hi Ilyass,
>> >
>> > Try using a regex in your exception, e.g.:
>> > SecRuleUpdateTargetById 960024 !ARGS:/telfaxmailweb/
>> >
>> > --
>> > - Josh
>> >
>> >>
>> >> thank you
>> >>
>> >>
>> >> 2014-06-27 8:04 GMT+01:00 Josh Amishav-Zlatin <jam...@owasp.org>:
>> >>
>> >>> On Thu, Jun 26, 2014 at 5:43 PM, Ilyass Kaouam <ilyassi...@gmail.com>
>> >>> wrote:
>> >>>>
>> >>>> Hi Josh.
>> >>>>
>> >>>> It's work very good thank you :) :) :)
>> >>>>
>> >>>> I have another block :( please help me
>> >>>
>> >>>
>> >>> Hi Ilyass,
>> >>>
>> >>> In this case there is a hyphen in the telfaxmailweb_1_171833 parameter
>> >>> value. Try using the SecRuleUpdateTargetById directive, e.g.
>> >>> SecRuleUpdateTargetById 960024 !ARGS:telfaxmailweb_1_171833
>> >>>
>> >>> For details see:
>> >>>
>> >>>
>> http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html
>> >>>
>> >>> --
>> >>> - Josh
>> >>>
>> >>>>
>> >>>> log:
>> >>>>
>> >>>>
>> >>>>
>> >>>> --9b18757a-A--
>> >>>>
>> >>>> [26/Jun/2014:16:35:15 +0200] U6wvo38AAAEAAFCgA4AAAAAK
>> >>>>
>> >>>> --9b18757a-B--
>> >>>>
>> >>>> POST /beta/societe-contribEnt HTTP/1.1
>> >>>>
>> >>>> Host: www.
>> >>>>
>> >>>> xxxx
>> >>>> .
>> >>>> xxx
>> >>>>
>> >>>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0)
>> >>>> Gecko/20100101 Firefox/30.0
>> >>>>
>> >>>> Accept: */*
>> >>>>
>> >>>> Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
>> >>>>
>> >>>> Accept-Encoding: gzip, deflate
>> >>>>
>> >>>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
>> >>>>
>> >>>> X-Requested-With: XMLHttpRequest
>> >>>>
>> >>>> Referer: http://www.
>> >>>>
>> >>>> xxxx
>> >>>> .ma/beta/
>> >>>> xxxxx
>> >>>> ?action=edit
>> >>>>
>> >>>> Content-Length: 1735
>> >>>>
>> >>>> Cookie: JSESSIONID=2A3D8D47FE45427E1AAFC69A2FA48F7B;
>> >>>> __utma=111125463.1234468951.1403792976.1403792976.1403792976.1;
>> >>>> __utmb=111125463.7.10.1403792976; __utmc=111125463;
>> >>>>
>> __utmz=111125463.1403792976.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
>> >>>>
>> >>>> Connection: keep-alive
>> >>>>
>> >>>> Pragma: no-cache
>> >>>>
>> >>>> Cache-Control: no-cache
>> >>>>
>> >>>>
>> >>>> --9b18757a-C--
>> >>>>
>> >>>>
>> >>>>
>> codeAction=1&entid=151549&bilid=148614&idMkt=1628&denomination=INFORISK&denomination_dirty=&entrc=135529&entrc_dirty=&tribunal=12&tribunal_dirty=&fmj=Soci%C3%A9t%C3%A9+Anonyme&fmj_dirty=&capital=12+650+000+Dirhams&capital_dirty=&adresse=43%2C+Boulevard+D'anfa&adresse_dirty=&ville=1488&ville_dirty=&activite=+Collecte%2C+traitement+et+vente+des+informations+financi%C3%A8res%2C+l%C3%A9gales+et+commerciales&activite_dirty=&effectif_dirty=&effectif=30&segmentEffectif_dirty=&segmentEffectif=2&effectifCadre_dirty=&effectifCadre=0&telfaxmailweb_1_171833_dirty=&telfaxmailweb_1_171833=05-22-27-64-10&telfaxmailweb_1_142609_dirty=&telfaxmailweb_1_142609=05-22-42-90-87&telfaxmailweb_1_0_2_dirty=&telfaxmailweb_1_0_2=__-__-__-__-__&telfaxmailweb_1_0_3_dirty=&telfaxmailweb_1_0_3=__-__-__-__-__&telfaxmailweb_2_142611_dirty=&telfaxmailweb_2_142611=05-22-27-64-16&telfaxmailweb_2_0_1_dirty=&telfaxmailweb_2_0_1=__-__-__-__-__&telfaxmailweb_2_0_2_dirty=&telfaxmailweb_2_0_2=__-__-__-__-__&telfaxmailweb_2_0_3_dirty=&telfaxmailweb_2_0_3=__-__-__-__-__&telfaxmailweb_3_142612_dirty=&telfaxmailweb_3_142612=info%
>> 40inforisk.ma
>> &telfaxmailweb_3_0_1_dirty=&telfaxmailweb_3_0_1=&telfaxmailweb_3_0_2_dirty=&telfaxmailweb_3_0_2=&telfaxmailweb_3_0_3_dirty=&telfaxmailweb_3_0_3=&telfaxmailweb_4_142608_dirty=&telfaxmailweb_4_142608=
>> www.inforisk.ma
>> &telfaxmailweb_4_0_1_dirty=&telfaxmailweb_4_0_1=&telfaxmailweb_4_0_2_dirty=&telfaxmailweb_4_0_2=&telfaxmailweb_4_0_3_dirty=&telfaxmailweb_4_0_3=&idMktRefTypeContact_31241_dirty=&idMktRefTypeContact_31241=1&nom_31241=Ayouch&nom_31241_dirty=&prenom_31241=Khalid&prenom_31241_dirty=&tel_31241=__-__-__-__-__&tel_31241_dirty=&email_31241=test%
>> 40gmail.com&email_31241_dirty=1&contact_31241=1&contact_31241_dirty=1
>> >>>>
>> >>>> --9b18757a-F--
>> >>>>
>> >>>> HTTP/1.1 403 Forbidden
>> >>>>
>> >>>> Content-Length: 225
>> >>>>
>> >>>> Connection: close
>> >>>>
>> >>>> Content-Type: text/html; charset=iso-8859-1
>> >>>>
>> >>>>
>> >>>> --9b18757a-E--
>> >>>>
>> >>>>
>> >>>> --9b18757a-H--
>> >>>>
>> >>>> Message: Access denied with code 403 (phase 2). Pattern match
>> >>>>
>> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
>> >>>> at ARGS:telfaxmailweb_1_171833. [file
>> >>>>
>> "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
>> >>>> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character
>> Anomaly
>> >>>> Detection Alert - Total # of special characters exceeded"] [data
>> "Matched
>> >>>> Data: - found within ARGS:telfaxmailweb_1_171833: 05-22-27-64-10"]
>> [ver
>> >>>> "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
>> >>>> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
>> >>>>
>> >>>> Action: Intercepted (phase 2)
>> >>>>
>> >>>> Apache-Handler: proxy-server
>> >>>>
>> >>>> Stopwatch: 1403793315275899 22265 (- - -)
>> >>>>
>> >>>> Stopwatch2: 1403793315275899 22265; combined=9584, p1=187, p2=9377,
>> >>>> p3=0, p4=0, p5=20, sr=28, sw=0, l=0, gc=0
>> >>>>
>> >>>> Response-Body-Transformed: Dechunked
>> >>>>
>> >>>> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/
>> );
>> >>>> OWASP_CRS/2.2.9.
>> >>>>
>> >>>> Server: Apache
>> >>>>
>> >>>> Engine-Mode: "ENABLED"
>> >>>>
>> >>>>
>> >>>> --9b18757a-Z--
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> 2014-06-26 13:44 GMT+01:00 Josh Amishav-Zlatin <jam...@owasp.org>:
>> >>>>
>> >>>>> On Thu, Jun 26, 2014 at 3:19 PM, Ilyass Kaouam <
>> ilyassi...@gmail.com>
>> >>>>> wrote:
>> >>>>>>
>> >>>>>> Hi guys.
>> >>>>>>
>> >>>>>> I not understand why modsecurity blocking my request with the
>> >>>>>> character "à" in french.
>> >>>>>> log:
>> >>>>>
>> >>>>>
>> >>>>> Hi Ilyass,
>> >>>>>
>> >>>>> Take a look at the SecUnicodeCodePage and SecUnicodeMapFile
>> directives.
>> >>>>> For more information see:
>> >>>>>
>> >>>>> http://blog.spiderlabs.com/2012/08/waf-normalization-and-i18n.html
>> >>>>>
>> >>>>> --
>> >>>>> - Josh
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> --169a1612-A--
>> >>>>>>
>> >>>>>> [26/Jun/2014:11:48:57 +0200] U6vsiX8AAAEAAEkNI7cAAAAQ
>> >>>>>>
>> >>>>>> --169a1612-B--
>> >>>>>>
>> >>>>>> POST /beta/societe-xxxxxr HTTP/1.1
>> >>>>>>
>> >>>>>> Host: www.xxxx.xx
>> >>>>>>
>> >>>>>> User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0)
>> >>>>>> Gecko/20100101 Firefox/30.0
>> >>>>>>
>> >>>>>> Accept: */*
>> >>>>>>
>> >>>>>> Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
>> >>>>>>
>> >>>>>> Accept-Encoding: gzip, deflate
>> >>>>>>
>> >>>>>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
>> >>>>>>
>> >>>>>> X-Requested-With: XMLHttpRequest
>> >>>>>>
>> >>>>>> Referer: http://www.xxx.xxx/beta/societe-xxxx
>> >>>>>>
>> >>>>>> Content-Length: 760
>> >>>>>>
>> >>>>>> Cookie: JSESSIONID=DC9410B3998A7E973EDBA0ED638F5B40;
>> >>>>>> __utma=111125463.1374472637.1403014671.1403719512.1403772965.34;
>> >>>>>>
>> __utmz=111125463.1403435014.17.3.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
>> >>>>>> __utmb=111125463.24.10.1403772965; __utmc=111125463;
>> >>>>>> JSESSIONID=EB7E51CFBA0B811E9335731DA6A26A08
>> >>>>>>
>> >>>>>> Connection: keep-alive
>> >>>>>>
>> >>>>>> Pragma: no-cache
>> >>>>>>
>> >>>>>> Cache-Control: no-cache
>> >>>>>>
>> >>>>>>
>> >>>>>> --169a1612-C--
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> codeAction=1&entid=367928&bilid=321761&idMkt=672&denomination=&capital=10+000+&activite=PRODUCTION+DES+FILMS+CINEMATOGRAPHIQUES+ET+AUDIOVISEUL&effectif=0&effectifCadre=0&segmentEffectif=1&dateContribution=17%2F08%2F13+%C3%A0+15%3A41&loginUser=nabilchant%
>> 40hotmail.fr&emailUser=nabilchant%40hotmail.fr
>> &id=672&denomination_validator=&rc_validator=&tribunal_validator=&fmj_validator=&capital_validator=&adresse_validator=&ville_validator=&activite_validator=&effectif_validator=&segmentEffectif_validator=&effectifCadre_validator=&telfaxmailweb_734=on&telfaxmailweb_734_validator=1&data_734=0610357910&type_734=1&idMktTelfaxmailweb_734=0&telfaxmailweb_735=on&telfaxmailweb_735_validator=1&data_735=0633327850&type_735=1&idMktTelfaxmailweb_735=0&statut=1&remarque=
>> >>>>>>
>> >>>>>> --169a1612-F--
>> >>>>>>
>> >>>>>> HTTP/1.1 403 Forbidden
>> >>>>>>
>> >>>>>> Content-Length: 245
>> >>>>>>
>> >>>>>> Connection: close
>> >>>>>>
>> >>>>>> Content-Type: text/html; charset=iso-8859-1
>> >>>>>>
>> >>>>>>
>> >>>>>> --169a1612-E--
>> >>>>>>
>> >>>>>>
>> >>>>>> --169a1612-H--
>> >>>>>>
>> >>>>>> Message: Access denied with code 403 (phase 2). Pattern match
>> >>>>>> "\\W{4,}" at ARGS:dateContribution. [file
>> >>>>>>
>> "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"]
>> >>>>>> [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly
>> Detection
>> >>>>>> Alert - Repetative Non-Word Characters"] [data "Matched Data:
>> \xc3\xa0
>> >>>>>> found within ARGS:dateContribution: 17/08/13 \xc3\xa0 15:41"] [ver
>> >>>>>> "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"]
>> >>>>>>
>> >>>>>> Action: Intercepted (phase 2)
>> >>>>>>
>> >>>>>> Apache-Handler: proxy-server
>> >>>>>>
>> >>>>>> Stopwatch: 1403776137380257 11043 (- - -)
>> >>>>>>
>> >>>>>> Stopwatch2: 1403776137380257 11043; combined=642, p1=224, p2=399,
>> >>>>>> p3=0, p4=0, p5=19, sr=37, sw=0, l=0, gc=0
>> >>>>>>
>> >>>>>> Response-Body-Transformed: Dechunked
>> >>>>>>
>> >>>>>> Producer: ModSecurity for Apache/2.7.3 (
>> http://www.modsecurity.org/);
>> >>>>>> OWASP_CRS/2.2.9.
>> >>>>>>
>> >>>>>> Server: Apache
>> >>>>>>
>> >>>>>> Engine-Mode: "ENABLED"
>> >>>>>>
>> >>>>>>
>> >>>>>> --169a1612-Z--
>> >>>>>>
>> >>>>>>
>> >>>>>> how to allow these types of characters.
>> >>>>>>
>> >>>>>> thank you.
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> Owasp-modsecurity-core-rule-set mailing list
>> >>>>>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>> >>>>>>
>> >>>>>>
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>> >>>>>>
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Ilyass kaouam
>> >>>> Systems administrator at Inforisk Group Finaccess
>> >>>> European Masters in Information Technology
>> >>>> Portable : (212) 6 34 57 14 36
>> >>>> http://www.inforisk.ma
>> >>>
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Ilyass kaouam
>> >> Systems administrator at Inforisk Group Finaccess
>> >> European Masters in Information Technology
>> >> Portable : (212) 6 34 57 14 36
>> >> http://www.inforisk.ma
>> >
>> >
>> >
>> > _______________________________________________
>> > Owasp-modsecurity-core-rule-set mailing list
>> > Owasp-modsecurity-core-rule-set@lists.owasp.org
>> >
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>> >
>>
>>
>>
>> --
>> Jamie Riden / ja...@honeynet.org / jamie.ri...@gmail.com
>> http://uk.linkedin.com/in/jamieriden
>>
>
>
>
> --
> *Ilyass kaouam*
> *Systems administrator*
> * at Inforisk Group Finaccess *
> *European Masters in Information Technology*
> *Portable : (212) *
> *6 34 57 14 36**http://www.inforisk.ma <http://www.inforisk.ma>*
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
>
--
*Ilyass kaouam*
*Systems administrator*
* at Inforisk Group Finaccess *
*European Masters in Information Technology*
*Portable : (212) *
*6 34 57 14 36**http://www.inforisk.ma <http://www.inforisk.ma>*
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
