Sorry Christian. I didn't look in your tutorial CRS3:
152 x 942260 Detects basic SQL authentication bypass attempts 2/3
-----------------------------------------------------------------
# ModSec Rule Exclusion: 942260 : Detects basic SQL authentication
bypass attempts 2/3
SecRule REQUEST_URI "@beginsWith /drupal/index.php/search/node"
"phase:2,nolog,pass,id:10003,ctl:ruleRemoveTargetById=942260;ARGS:keys"
Regards
El mar., 15 de noviembre de 2016 20:44, Christian Folini <
christian.fol...@netnea.com> escribió:
> Kamil,
>
> Thanks for reporting.
>
> You are facing the following alerts:
>
> 920300 REQUEST_HEADERS:User-Agent Request Missing an Accept Header
> 920300 REQUEST_HEADERS:User-Agent Request Missing an Accept Header
> 942260 REQUEST_COOKIES:OutlookSession Detects basic SQL auth bypass
> 942260 REQUEST_COOKIES:OutlookSession Detects basic SQL auth bypass
>
> 920300 is usually legitimate and likely points to a client not sending
> the accept header like it should. This is a widespread misbehaviour.
> That is why we pushed the rule to paranoia level 2. You are apparently
> running PL2 or higher. You should thus tune this alert away via a rule
> exclusion.
>
> The 942260 is likely also legitimate. It's just that your poor client
> has a session cookie smelling of SQL authentication bypass. You
> should exclude the said cookie from the list of parameters examined
> by 942260.
>
> My tutorials at https://www.netnea.com/cms/apache-tutorials give
> you detailed step by step instructions how to do this.
>
> Best,
>
> Christian
>
>
>
> On Tue, Nov 15, 2016 at 05:54:52PM +0100, kamil kapturkiewicz wrote:
> > Hi,
> > I have had this issue with previous 2.2.9 version, but I am not really
> sure is related to mod_security it self or to CRS. The problem is with some
> Windows machines, below is the example from one of our corporate user, who
> is working on Windows 7 machine. I am pretty sure machine is not infected
> by malware or something, and this problem occures on FF, Chrome, Opera and
> IE. But in combination with fail2ban, this cut him off from web server
> every time he is trying to access company website. Do
> > you guys have any idea what is causing this?
> >
> > [Tue Nov 15 16:26:41.962933 2016] [:error] [pid 31434] [client
> 213.81.82.201] ModSecurity: Warning. Match of "pm
> > AppleWebKit Android" against "REQUEST_HEADERS:User-Agent" required.
> [file
> "/usr/share/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
> [line "1251"] [id "920300"] [rev "3"] [msg "Request Missing an Accept
> Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"]
> [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag
> "platform-multi"] [tag "attack-protocol"] [tag
> "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag
> "WASCTC/WASC-21"] [tag
> > "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "paranoia-level/2"] [hostname
> "domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id
> "WCs3QX8AAQEAAHrKJTMAAAAF"]
> > [Tue Nov 15 16:26:41.963976 2016] [:error] [pid 31434] [client
> 213.81.82.201] ModSecurity: Access denied with code 403 (phase 2). Pattern
> match
> "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`])|(?:like\\\\s*?[\\"'`]\\\\%)|(?:[\\"'`]\\\\s*?like\\\\W*?[\\"'`\\\\d])|(?:[\\"'`]\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?h
> ..." at REQUEST_COOKIES:OutlookSession. [file
> >
> "/usr/share/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
> [line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication
> bypass attempts 2/3"] [data "Matched Data: \\x22{BB1B2590-E found within
> REQUEST_COOKIES:OutlookSession:
> \\x22{BB1B2590-EEE9-451E-9ABD-B75491F282EE}\\x22"] [severity "CRITICAL"]
> [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag
> "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
> "attack-sqli"] [tag
> > "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
> "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag
> "paranoia-level/2"] [hostname "domain.com"] [uri
> "/autodiscover/autodiscover.xml"] [unique_id "WCs3QX8AAQEAAHrKJTMAAAAF"]
> > [Tue Nov 15 16:26:44.390517 2016] [:error] [pid 31254] [client
> 213.81.82.201] ModSecurity: Warning. Match of "pm AppleWebKit Android"
> against "REQUEST_HEADERS:User-Agent" required. [file
> "/usr/share/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
> [line "1251"] [id "920300"] [rev "3"] [msg "Request Missing an Accept
> Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"]
> [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag
> "platform-multi"] [tag
> > "attack-protocol"] [tag
> "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag
> "paranoia-level/2"] [hostname "domain.com"] [uri
> "/autodiscover/autodiscover.xml"] [unique_id "WCs3RH8AAQEAAHoWjIUAAAAD"]
> > [Tue Nov 15 16:26:44.391535 2016] [:error] [pid 31254] [client
> 213.81.82.201] ModSecurity: Access denied with code 403 (phase 2). Pattern
> match
> "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`])|(?:like\\\\s*?[\\"'`]\\\\%)|(?:[\\"'`]\\\\s*?like\\\\W*?[\\"'`\\\\d])|(?:[\\"'`]\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?h
> ..." at REQUEST_COOKIES:OutlookSession. [file
> >
> "/usr/share/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
> [line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication
> bypass attempts 2/3"] [data "Matched Data: \\x22{BB1B2590-E found within
> REQUEST_COOKIES:OutlookSession:
> \\x22{BB1B2590-EEE9-451E-9ABD-B75491F282EE}\\x22"] [severity "CRITICAL"]
> [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag
> "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
> "attack-sqli"] [tag
> > "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
> "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag
> "paranoia-level/2"] [hostname "domain.com"] [uri
> "/autodiscover/autodiscover.xml"] [unique_id "WCs3RH8AAQEAAHoWjIUAAAAD"]
> >
> >
> >
> >
> > _______________________________________________
> > Owasp-modsecurity-core-rule-set mailing list
> > Owasp-modsecurity-core-rule-set@lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
