Re: [Owasp-modsecurity-core-rule-set] Stumped on a false positive rule 950901

Wed, 13 Aug 2014 13:44:08 -0700 

HI Joshua,
Thank you for the feedback. In this case I have lots of rules
functioning perfectly with out escaping the / chars. I will give it a
try.
By the way I did post an error , the ruleID is 950901, not 905901.
That didn't help either though.

Thanks Dan

On Wed, Aug 13, 2014 at 4:26 PM, Joshua Roback <jrob...@gmail.com> wrote:
> What if you change your regex representing the URI to escape the /
>
> SecRule REQUEST_LINE "PUT \/api\/search\/posit\/\d{3}"
>
> "chain,phase:2,t:none,t:compressWhiteSpace,nolog,pass"
>         SecRule ARGS|REQUEST_BODY "@streq and60"
> "nolog,ctl:ruleRemoveById=905901"
>
>
> On Wed, Aug 13, 2014 at 1:43 PM, Dan Goldberg <d...@madjic.net> wrote:
>>
>> Hi,
>> I would like a little help if possible writing an exception for what
>> is being tagged as a SQL Injection attempt.
>>
>> here is the audit log data:
>> [Wed Aug 13 16:58:59 2014] [error] [client aaa.bbb.ccc.ddd]
>> ModSecurity: Access denied with code 403 (phase 2). Pattern match
>> "\\\\b(\\\\d+)
>>  ?(?:=|<>|<=>|<|>|!=)
>>
>> ?\\\\1\\\\b|[\\\\'\\"\\\\`\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98](\\\\d+)[\\\\'\\"\\\\`\\\\\\xc2\\x
>> b4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98] ?(?:=|<>|<=>|<|>|!=)
>> ?[\\\\'\\"\\\\`\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98]\\\\
>> 2\\\\b|[\\\\'\\"\\\\`\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x98 ..." at
>> ARGS:position[e_statement]. [file "/usr/share/modsecurity-crs/activate
>> d_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "435"]
>> [id "950901"] [rev "2.2.0"] [msg "SQL Injection Attack"] [data " a
>> nd 60"] [severity "CRITICAL"] [hostname "test.example.com"] [uri
>> "/api/search/posit/509"] [unique_id "U@uZUwoAZa
>> IAAEDBdrsAAAAG"]
>>
>> The text in a PUT validated by the web app contains a statement about
>> some regulations all URL encoded:
>>
>> The string it is objecting to is in the PUT body here:
>> CFR+%26sect%3B%26sect%3B+60-1.4(a)%2C+60-300.5(a)+and+60-741.5(a).
>>
>> My current rule is:
>> SecRule REQUEST_LINE "PUT /api/search/posit/\d{3}"
>> "chain,phase:2,t:none,t:compressWhiteSpace,nolog,pass"
>>         SecRule ARGS|REQUEST_BODY "@streq and60"
>> "nolog,ctl:ruleRemoveById=905901"
>> Any ideas? please?
>> Thanks Dan
>>
>> --
>> --
>> d...@madjic.net
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
>
>
>
> --
> Joshua Roback



-- 
--
d...@madjic.net
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to