[mod-security-users] mod-security errors

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I'm currently trying to update a web application firewall on a reverse-proxy.

It's running:
RHEL6
Apache 2.4.41 (built from source)
Mod-Security 2.9.3 (built from source)
Mod-Security CRS 3.2

I'm currently encountering an issue, which despite spending a while googling, have failed to understand/find a solution.

I'm seeing errors being thrown, attributed to apache2_util.c , line 271 (this can happen multiple times for same request, with multiple rule IDs in error output.

I've had to redact <IP>, <port>, <hostname.domain>, <dir> in the entries from my logs below.

In my error log:
[2020-02-27 12:55:58.354429] [-:error] <IP.IP.IP.IP>:<PORT> Xle8Xm1W8IE8Ef-M70HyFAAAAQA [client <IP.IP.IP.IP>] ModSecurity: Warning. Pattern match "(?i:(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\\\s*?\\\\(\\\\s*?space\\\\s*?\\\\(|,.*?[)\\\\da-f\\"'`][\\"'`](?:[\\"'`].*?[\\"'`]|(?:\\\\r?\\\\n)?\\\\z|[^\\"'`]+)|\\\\Wselect.+\\\\W*?from))" at ARGS_NAMES:{"query":"query CacheChangeStream(\\\\n  $resumptionToken: String\\\\n) {\\\\n  cacheChangeStream(resumptionToken: $resumptionToken) {\\\\n    nextResumptionToken\\\\n    __invalidatedCacheDomains: invalidatedCacheDomains {\\\\n      __typename\\\\n      ... on ContentFamilyCacheDomainInvalidation {\\\\n        systemName\\\\n        invalidationId\\\\n        name\\\\n      }\\\\n    }\\\\n  }\\\\n}\\\\n","variables":{"resumptionToken":"236210"}}. [file "/usr/local/apache/conf/modsecurity-crs3/70_rules-crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "736"] [id "942200"] [msg "Detects MySQL comment-/space-obfuscated injections and backtick termination"] [data "Matched Data: ,\\x22variables\\x22:{\\x22resumptionToken\\x22:\\x22236210\\x22}} found within ARGS_NAMES:{\\x22query\\x22:\\x22query CacheChangeStre [hostname "<hostname.domain>"] [uri "/admin/<dir>/<dir>/"] [unique_id "Xle8Xm1W8IE8Ef-M70HyFAAAAQA"]

This seems to correspond with an audit log entry:
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 1<IP.IP.IP.IP>] ModSecurity: Warning. Pattern match "(?i:(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\\\\\\\s*?\\\\\\\\(\\\\\\\\s*?space\\\\\\\\s*?\\\\\\\\(|,.*?[)\\\\\\\\da-f\\\\"'`][\\\\"'`](?:[\\\\"'`].*?[\\\\"'`]|(?:\\\\\\\\r?\\\\\\\\n)?\\\\\\\\z|[^\\\\"'`]+)|\\\\\\\\Wselect.+\\\\\\\\W*?from))" at ARGS_NAMES:{"query":"query CacheChangeStream(\\\\\\\\n  $resumptionToken: String\\\\\\\\n) {\\\\\\\\n  cacheChangeStream(resumptionToken: $resumptionToken) {\\\\\\\\n    nextResumptionToken\\\\\\\\n    __invalidatedCacheDomains: invalidatedCacheDomains {\\\\\\\\n      __typename\\\\\\\\n      ... on ContentFamilyCacheDomainInvalidation {\\\\\\\\n        systemName\\\\\\\\n        invalidationId\\\\\\\\n        name\\\\\\\\n      }\\\\\\\\n    }\\\\\\\\n  }\\\\\\\\n}\\\\\\\\n","variables":{"resumptionToken":"236210"}}. [file "/usr/local/apache/conf/modsecurity-crs3/70_rules-crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "736"] [id "942200"] [msg "Detects MySQL comment-/space-obfuscated injections and backtick termination"] [data "Matched Data: ,\\\\x22variables\\\\x22:{\\\\x22resumptionToken\\\\x22:\\\\x22236210\\\\x22}} found within ARGS_NAMES:{\\\\x22query\\\\x22:\\\\x22query CacheChangeStre [hostname "<hostname.domain>"] [uri "/admin/<dir>/<dir>/"] [unique_id "Xle8Xm1W8IE8Ef-M70HyFAAAAQA"]

Any insights/suggestions would be appreciated.
Thanks,
Paul