Re: [mod-security-users] SQLi False positive
Brought to you by:
victorhora,
zimmerletw
From: Reindl H. <h.r...@th...> - 2012-01-10 10:26:55
|
this whole rule is crap! it blocks even urls like http://yourdomain/diverses/index.htm Am 10.01.2012 09:49, schrieb Sean O'Sullivan: > Hi > > There is a page on our website called Individual... ModSecurity is generating a false positive because the page > name contains the word div, I have included the logs below. Is there any way to exclude a parameter from a rule if > it contains a certain text string. > > I know this wont work but it is an example of what I am trying to do : SecRuleUpdateTargetById 981244 > !ARGS:pageType "@contains div". > > Message: Warning. Pattern match > "(?i:(?:\\d(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+\\d)|(?:^admin\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)|(\\/\\*)+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+\\s?(?:--|#|\\/\\*|{)?)|(?:(\"|'| > ..." at ARGS:pageType. [file "/etc/apache2/modsecurity_crs/modsecurity_crs_41_sql_injection_attacks.conf"] [line > "533"] [id "981244"] [msg "Detects basic SQL authentication bypass attempts 1/3"] [data "div"] [severity > "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"] > Message: Warning. Pattern match > "(?i:(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*\\*.+(?:x?or|div|like|between|and|id)\\W*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\d)|(?:\\^(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98))|(?:^[\\w\\s(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)-]+( > ..." at ARGS:pageType. [file "/etc/apache2/modsecurity_crs/modsecurity_crs_41_sql_injection_attacks.conf"] [line > "573"] [id "981243"] [msg "Detects classic SQL injection probings 2/2"] [data "div"] [severity "CRITICAL"] [tag > "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"] > Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file > "/etc/apache2/modsecurity_crs/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly > Score Exceeded (Total Inbound Score: 13, SQLi=, XSS=): 981243-Detects classic SQL injection probings 2/2"] > Apache-Handler: proxy-server > Stopwatch: 1326169975607617 51819 (- - -) > Stopwatch2: 1326169975607617 51819; combined=4777, p1=174, p2=4443, p3=1, p4=59, p5=100, sr=45, sw=0, l=0, gc=0 > Response-Body-Transformed: Dechunked > Producer: ModSecurity for Apache/2.6.0 (http://www.modsecurity.org/); core ruleset/2.2.3. > Server: Apache/2.2.17 ( > > Thanks in advance. Regards, > Sean > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- Mit besten Grüßen, Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / software-development / cms-solutions p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm |