Re: [Owasp-modsecurity-core-rule-set] Rules triggering False Positives frequently

Mon, 18 Jan 2016 01:50:30 -0800 

Hi Christian,

nice post! I completely agree about these following rules:

981172 Restricted SQL Character Anomaly Detection Alert – Total # ...
981173 Restricted SQL Character Anomaly Detection Alert – Total # ...
My users often disable these two rules. I think that a false positive occurs each time these rules match a sequence of the same char in the URL. For example /mypost/title-of-my-new-blogpost or /verifyurl/sessionid----abcde1234.
Probably this shouldn't happen with a rule that match a sequence of differents chars in the URL (/foo/bar-john@doe(bla)). 

i've just twitted your post :)
thanks!

-theMiddle


Il 18/01/16 05:30, Christian Folini ha scritto:

Hi there,

ModSecurity – or any WAF for that matter – produces false positives. If
it does not produce false positives, then it’s probably dead. A strict
ruleset like the OWASP ModSecurity Core Rules brings a lot of false
positives and it takes some tuning to get to a reasonable level of
alerts. If you have tuned a few services, then some of the rules will
become familiar to you. But which ones are these rules?

I have assembled them in a blogpost at:
https://www.netnea.com/cms/2016/01/17/most-frequent-false-positives-triggered-by-owasp-modsecurity-core-rules-2-2-x/

Naturally, these rules are candidates to be moved to the said
paranoia mode.

Here are the most frequent "offenders" based on my experience (=
customer sites).

950901  SQL Injection Attack: SQL Tautology Detected.
959073  SQL Injection Attack
960015  Request Missing an Accept Header
960017  Host header is a numeric IP address
960024  Meta-Character Anomaly Detection Alert – Repetative Non-Word ...
981172  Restricted SQL Character Anomaly Detection Alert – Total # ...
981173  Restricted SQL Character Anomaly Detection Alert – Total # ...
981231  SQL Comment Sequence Detected
981243  Detects classic SQL injection probings 2/2
981248  Detects chained SQL injection attempts 1/2
981260  SQL Hex Encoding Identified

Comments welcome.

Have a good week, everybody!

Christian



_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to