Re: [Owasp-modsecurity-core-rule-set] Stumped on a false positive rule 950901

Wed, 13 Aug 2014 13:38:38 -0700 

What if you change your regex representing the URI to escape the /

SecRule REQUEST_LINE "PUT \/api\/search\/posit\/\d{3}"
"chain,phase:2,t:none,t:compressWhiteSpace,nolog,pass"
        SecRule ARGS|REQUEST_BODY "@streq and60"
"nolog,ctl:ruleRemoveById=905901"


On Wed, Aug 13, 2014 at 1:43 PM, Dan Goldberg <d...@madjic.net> wrote:

> Hi,
> I would like a little help if possible writing an exception for what
> is being tagged as a SQL Injection attempt.
>
> here is the audit log data:
> [Wed Aug 13 16:58:59 2014] [error] [client aaa.bbb.ccc.ddd]
> ModSecurity: Access denied with code 403 (phase 2). Pattern match
> "\\\\b(\\\\d+)
>  ?(?:=|<>|<=>|<|>|!=)
>
> ?\\\\1\\\\b|[\\\\'\\"\\\\`\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98](\\\\d+)[\\\\'\\"\\\\`\\\\\\xc2\\x
> b4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98] ?(?:=|<>|<=>|<|>|!=)
> ?[\\\\'\\"\\\\`\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98]\\\\
> 2\\\\b|[\\\\'\\"\\\\`\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x98 ..." at
> ARGS:position[e_statement]. [file "/usr/share/modsecurity-crs/activate
> d_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "435"]
> [id "950901"] [rev "2.2.0"] [msg "SQL Injection Attack"] [data " a
> nd 60"] [severity "CRITICAL"] [hostname "test.example.com"] [uri
> "/api/search/posit/509"] [unique_id "U@uZUwoAZa
> IAAEDBdrsAAAAG"]
>
> The text in a PUT validated by the web app contains a statement about
> some regulations all URL encoded:
>
> The string it is objecting to is in the PUT body here:
> CFR+%26sect%3B%26sect%3B+60-1.4(a)%2C+60-300.5(a)+and+60-741.5(a).
>
> My current rule is:
> SecRule REQUEST_LINE "PUT /api/search/posit/\d{3}"
> "chain,phase:2,t:none,t:compressWhiteSpace,nolog,pass"
>         SecRule ARGS|REQUEST_BODY "@streq and60"
> "nolog,ctl:ruleRemoveById=905901"
> Any ideas? please?
> Thanks Dan
>
> --
> --
> d...@madjic.net
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>



-- 
Joshua Roback

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to