Re: [mod-security-users] False positive
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <rya...@br...> - 2009-11-24 15:55:36
|
On Tuesday 24 November 2009 10:35:37 am Superpizza wrote: > Hi everyone. > > I'm a bit puzzled on how to handle a false positive > for a couple of rules belonging to > "Comment Evasion Attempt" ruleset. > (in modsecurity_crs_41_phpids_converter.conf) > Since this is a core rule set exception issue - please sign up and post this to the official OWASP CRS mail-list - https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set I will respond there. -Ryan > I've got a form taking 2 parameters, say "LOGIN" & "PASSWORD". > If password is set to "---aa---" rules are triggered, > and this causes a false positive. > If I well understood best practice should be modifying: > modsecurity_crs_48_local_exceptions.conf > I can't understand how to update this file in order > to avoid matching parameter "PASSWORD" against > both of the rules. > > --7a02be68-C-- > LOGIN=12345678&PASSWD=---aa--- > --7a02be68-F-- > HTTP/1.1 403 Forbidden > Last-Modified: Thu, 13 Nov 2008 09:30:44 GMT > > --7a02be68-H-- > Message: Pattern match "(?:--[^-]*-)" at REQUEST_BODY. [file > "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpid > s_converter.conf"] [line "28"] [msg "Comment Evasion Attempt"] [data "---"] > [severity "WARNING"] [tag "WEB_ATTACK/EVASION"] > Message: Pattern match "(?:--[^-]*-)" at REQUEST_BODY. [file > "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpid > s_converter.conf"] [line "28"] [msg "Comment Evasion Attempt"] [data "---"] > [severity "WARNING"] [tag "WEB_ATTACK/EVASION"] > Message: Pattern match "(?:--[^-]*-)" at ARGS:PASSWD. [file > "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpids > _converter.conf"] [line "28"] [msg "Comment Evasion Attempt"] [data "---"] > [severity "WARNING"] [tag "WEB_ATTACK/EVASION"] > Message: Pattern match "(?:--[^-]*-)" at REQUEST_BODY. [file > "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpid > s_converter.conf"] [line "34"] [msg "Comment Evasion Attempt"] [data "---"] > [severity "WARNING"] [tag "WEB_ATTACK/EVASION"] > Message: Pattern match "(?:--[^-]*-)" at REQUEST_BODY. [file > "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpid > s_converter.conf"] [line "34"] [msg "Comment Evasion Attempt"] [data "---"] > [severity "WARNING"] [tag "WEB_ATTACK/EVASION"] > Message: Pattern match "(?:--[^-]*-)" at ARGS:PASSWD. [file > "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_41_phpids > _converter.conf"] [line "34"] [msg "Comment Evasion Attempt"] [data "---"] > [severity "WARNING"] [tag "WEB_ATTACK/EVASION"] > Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file > "/usr/local/apache/conf/modsecurity/base_rules/modsecurity_crs_60 > _correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score > 60): Comment Evasion Attempt"] > Action: Intercepted (phase 2) > > > Thanks for your help. > > > > --------------------------------------------------------------------------- > --- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day trial. Simplify your report design, integration and deployment - > and focus on what you do best, core application coding. Discover what's > new with Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > |