Hi there, ModSecurity – or any WAF for that matter – produces false positives. If it does not produce false positives, then it’s probably dead. A strict ruleset like the OWASP ModSecurity Core Rules brings a lot of false positives and it takes some tuning to get to a reasonable level of alerts. If you have tuned a few services, then some of the rules will become familiar to you. But which ones are these rules?
I have assembled them in a blogpost at: https://www.netnea.com/cms/2016/01/17/most-frequent-false-positives-triggered-by-owasp-modsecurity-core-rules-2-2-x/ Naturally, these rules are candidates to be moved to the said paranoia mode. Here are the most frequent "offenders" based on my experience (= customer sites). 950901 SQL Injection Attack: SQL Tautology Detected. 959073 SQL Injection Attack 960015 Request Missing an Accept Header 960017 Host header is a numeric IP address 960024 Meta-Character Anomaly Detection Alert – Repetative Non-Word ... 981172 Restricted SQL Character Anomaly Detection Alert – Total # ... 981173 Restricted SQL Character Anomaly Detection Alert – Total # ... 981231 SQL Comment Sequence Detected 981243 Detects classic SQL injection probings 2/2 981248 Detects chained SQL injection attempts 1/2 981260 SQL Hex Encoding Identified Comments welcome. Have a good week, everybody! Christian -- You don't have to be great to start, but you have to start to be great. -- Zig Ziglar _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
