[Mod-security-rules] Arabic and Kurdish Characters triggers false positives

[Muhammed M. <ze...@gm...>]

Hello,

I installed Mod_Security *v2.7.4 *with the latest owasp crs and activated
all of them. i am using modsecurity to protect a web application that have
sql query's that contains Arabic and Kurdish characters. This is
causing mod-security to trigger false positives:


--------------------------
Apache's error_log
---------------------------
[Sun Jun 30 13:45:43 2013] [error] [client 192.168.11.143] ModSecurity:
Access denied with code 403 (phase 2). Pattern match
"(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)"
at ARGS:DocCopyList. [file
"/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "66"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common
Injection Testing Detected"] [data "Matched Data: \\xb4 found within
ARGS:DocCopyList:
 \\xd9\\x8a\\xd8\\xb4\\xd9\\x8a\\xd8\\xb4\\xd8\\xb3\\xd9\\x8a\\xd8\\xb4"]
[severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"]
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname
"192.168.11.60"] [uri "/DMS-V2/doc_out/doc_out_new.php"] [unique_id
"UdAMV8CoCzwAAHRHMhYAAAAB"]
[Sun Jun 30 13:45:47 2013] [error] [client 192.168.11.146] PHP Notice:
 Trying to get property of non-object in
/var/www/html/DMS-V2/class/db_class.php on line 89, referer:
http://192.168.11.60/DMS-V2/box.php?docType=2



[Sun Jun 30 13:33:56 2013] [error] [client 192.168.11.143] ModSecurity:
Access denied with code 403 (phase 2). Pattern match
"([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}"
at ARGS:DepFromName. [file
"/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "164"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly
Detection Alert - Total # of special characters exceeded"] [data "Matched
Data: \\x80 found within ARGS:DepFromName:
\\xda\\xaf\\xd8\\xb4\\xd8\\xaa\\xd8\\xa8\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xb1\\xdb\\x8e\\xd9\\x88\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xa8\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xb1\\xd8\\xa7\\xdb\\x8c\\xd9\\x87\\xe2\\x80\\x8c
\\xd8\\xaa\\xdb\\x8c\\xd9\\x87\\xe2\\x80\\x8c\\xd9\\x83\\xd8\\xa7\\xd9\\x86\\xdb\\x8c
\\xd9\\x88\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xb2\\xd8\\xa7\\xd8\\xb1\\xd9\\x87\\xe2\\x80\\x8c\\xd8\\xaa"]
[ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "192.168.11.60"] [uri
"/DMS-V2/doc_out/doc_out_new.php"] [unique_id "UdAJlMCoCzwAAG8IO@YAAAAH"]


----------------------------------------------------------------------------------------------------------------------------------
Line 66 of
/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
----------------------------------------------------------------------------------------------------------------------------------

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*
"(^[\"'`´’‘;]+|[\"'`´’‘;]+$)"
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL
Injection Attack: Common Injection Testing
Detected',id:'981318',logdata:'Matched Data: %{TX.0} found within
%{MATCHED_VAR_NAME}:
%{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"



-----------------------------------------------------------------------------------------------------------------------------------
Line 164  of
/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
-----------------------------------------------------------------------------------------------------------------------------------

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES
"([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){8,}"
"phase:2,t:none,t:urlDecodeUni,block,id:'981172',rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'9',accuracy:'8',msg:'Restricted
SQL Character Anomaly Detection Alert - Total # of special characters
exceeded',capture,logdata:'Matched Data: %{TX.1} found within
%{MATCHED_VAR_NAME}:
%{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"

SecRule ARGS_NAMES|ARGS|XML:/*
"([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){4,}"
"phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'9',accuracy:'8',msg:'Restricted
SQL Character Anomaly Detection Alert - Total # of special characters
exceeded',capture,logdata:'Matched Data: %{TX.1} found within
%{MATCHED_VAR_NAME}:
%{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"


I tried execluding the DocCopyList and DepFormName variables by adding
!ARGS:variablename to the rules but it did not help since all the variables
have Arabic and Kurdish characters.
I also added:
SecUnicodeCodePage 1256
SecUnicodeMapFile /etc/modsecurity/unicode.mapping

To the modsecurity.conf file and the
/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
but it does not seem to be changing anything.

How can i stop mod-security from detecting Arabic characters as sql
injection attacks ?

Best regards,
ZerTux