Hello,

I installed Mod_Security v2.7.4 with the latest owasp crs and activated all of them. i am using modsecurity to protect a web application that have sql query's that contains Arabic and Kurdish characters. This is causing mod-security to trigger false positives:


--------------------------
Apache's error_log
---------------------------
[Sun Jun 30 13:45:43 2013] [error] [client 192.168.11.143] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)" at ARGS:DocCopyList. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "66"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: \\xb4 found within ARGS:DocCopyList:  \\xd9\\x8a\\xd8\\xb4\\xd9\\x8a\\xd8\\xb4\\xd8\\xb3\\xd9\\x8a\\xd8\\xb4"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "192.168.11.60"] [uri "/DMS-V2/doc_out/doc_out_new.php"] [unique_id "UdAMV8CoCzwAAHRHMhYAAAAB"]
[Sun Jun 30 13:45:47 2013] [error] [client 192.168.11.146] PHP Notice:  Trying to get property of non-object in /var/www/html/DMS-V2/class/db_class.php on line 89, referer: http://192.168.11.60/DMS-V2/box.php?docType=2


[Sun Jun 30 13:33:56 2013] [error] [client 192.168.11.143] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:DepFromName. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "164"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: \\x80 found within ARGS:DepFromName: \\xda\\xaf\\xd8\\xb4\\xd8\\xaa\\xd8\\xa8\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xb1\\xdb\\x8e\\xd9\\x88\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xa8\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xb1\\xd8\\xa7\\xdb\\x8c\\xd9\\x87\\xe2\\x80\\x8c \\xd8\\xaa\\xdb\\x8c\\xd9\\x87\\xe2\\x80\\x8c\\xd9\\x83\\xd8\\xa7\\xd9\\x86\\xdb\\x8c \\xd9\\x88\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xb2\\xd8\\xa7\\xd8\\xb1\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xaa"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "192.168.11.60"] [uri "/DMS-V2/doc_out/doc_out_new.php"] [unique_id "UdAJlMCoCzwAAG8IO@YAAAAH"]


----------------------------------------------------------------------------------------------------------------------------------
Line 66 of /etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
----------------------------------------------------------------------------------------------------------------------------------
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(^[\"'`ด’‘;]+|[\"'`ด’‘;]+$)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:'981318',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"


-----------------------------------------------------------------------------------------------------------------------------------
Line 164  of /etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
-----------------------------------------------------------------------------------------------------------------------------------

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\ด\’\‘\`\<\>].*?){8,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981172',rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"

SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\ด\’\‘\`\<\>].*?){4,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"


I tried execluding the DocCopyList and DepFormName variables by adding !ARGS:variablename to the rules but it did not help since all the variables have Arabic and Kurdish characters.
I also added:
SecUnicodeCodePage 1256
SecUnicodeMapFile /etc/modsecurity/unicode.mapping

To the modsecurity.conf file and the /etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf but it does not seem to be changing anything.

How can i stop mod-security from detecting Arabic characters as sql injection attacks ?

Best regards,
ZerTux