Hello,
I see how this tuning approach via negative scoring is meant to work. However
it is quite botched if you excuse my wording. It actually looks like a huge
backdoor. All you need to do is an alert on 981172 and then submit a
cookie Mycookie1/2/3/4 and then get a discount of -20 anomaly scoring point
for each cookie. Bonus points: Each of the four cookies can be submitted more
than once. That should have you covered for really crazy attacks.
Also, your exception does not log at all, so I can not really tell if it
triggered at all. Your "H" audit log blog only points to the rule 981172
that was executed, but the way you handle it in the exceptions you did not
attempt to suppress this alert, but attempted to reduce the score again
post factum.
Under the line, I think you need to start over from scratch. Also, life is
much easier with CRS3 that has a ton less false positive. Namely the annoying
rule 981172 has been banned into the rarely activated Paranoia Level 4.
Unfortunately, CRS3 depends on ModSec 2.8.0 (unless you want to comment
out two key rules by hand in the rule set).
Ahoj,
Christian
On Fri, Oct 20, 2017 at 12:48:41PM +0200, devzero2000 wrote:
> Hi to all
>
> just updated a Centos 7.4 to mod_security_crs 2.2.9 and mod_security
> 2.7.3-5. In the
>
> /etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_48_local_exceptions.conf
> file I have a rule like this that worked in earlier versions but no
> longer.
>
> Any idea ?
>
> Thank you very much
>
> SecRule TX:'/^981172.*/'Â Â Â Â Â Â Â Â Â Â Â Â "@rx .*"
> "chain,phase:2,t:none,nolog,noauditlog,pass,msg:'WHITELISTINGÂ
> %{rule.id}: Allowed false positive %{TX:0}',severity:'6',id:450010"
>
> SecRule
> REQUEST_COOKIES:'/^(Mycookie1|Mycookie2|Mycookie3|Mycookie4)/'Â Â Â Â
> "!^$"Â Â "t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20"
>
> Â
>
> Log
>
> Â
>
> --9d781c6e-H--
>
> Message: Warning. Pattern match
>
> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){8,}"
> at REQUEST_COOKIES:Mycookie1. [file
>
> "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character
> Anomaly Detection Alert - Total # of special characters exceeded"] [data
> "Matched Data: + found within REQUEST_COOKIES:Mycookie1:
>
> ve11n8OdWASErRyEZrw+29j8ihH2+RlST465bWRDDityPELrC/mXxSDAELEf1CSGT+knYFgt/3EWotqMvcFBiLlX0YDfDNxEnZ32pBzsp3B+45oPGeOc/lx16tGOY8Q+u1sfbcVEzHeNIpebO3DephHXQ3fz0v66Qh2Qc5umtNSPP4p4pVd7C3gxxuspE4wWJlN7uF2iwVxkm+VN1W6wRt4USriw9aQQX0Csz1wKQdMlK5nv/S+uK+QBA7OdVsfOK7BXVrrXkLo7J9GS9oGYrnrkzNZ5rzOZRyllaqYRVV2pnm0qrdEq0Fiont4Z2+iHYEpnSuQRJpGi+mAL+FMnI1TNOlxIAzOgwV0ENaKXOgyQe3JVHStFc5cVVCptTtkL"]
> [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
>
> Apache-Handler: proxy-server
>
> Stopwatch: 1508316101057039 22395601 (- - -)
>
> Stopwatch2: 1508316101057039 22395601; combined=49089, p1=638, p2=48093,
> p3=3, p4=98, p5=177, sr=141, sw=80, l=0, gc=0
>
> Response-Body-Transformed: Dechunked
>
> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/);
> OWASP_CRS/2.2.9.
>
> Server: Apache
>
> Engine-Mode: "ENABLED"
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
ModSecurity courses Oct 2017 in London and Zurich
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:christian.fol...@netnea.com
twitter: @ChrFolini
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
