Re: [mod-security-users] mod-security errors

[Manuel S. <spa...@gm...>]

Hi Paul, you have an argument that looks suspicious add a whitelist for the argument “query”
Cheers!
Sent from my iPhone

> On Feb 27, 2020, at 7:41 AM, Paul Beckett <pau...@ou...> wrote:
> 
> 
> I'm currently trying to update a web application firewall on a reverse-proxy.
> 
> It's running:
> RHEL6
> Apache 2.4.41 (built from source)
> Mod-Security 2.9.3 (built from source)
> Mod-Security CRS 3.2
> 
> I'm currently encountering an issue, which despite spending a while googling, have failed to understand/find a solution. 
> 
> I'm seeing errors being thrown, attributed to apache2_util.c , line 271 (this can happen multiple times for same request, with multiple rule IDs in error output.
> 
> I've had to redact <IP>, <port>, <hostname.domain>, <dir> in the entries from my logs below. 
> 
> In my error log:
> [2020-02-27 12:55:58.354429] [-:error] <IP.IP.IP.IP>:<PORT> Xle8Xm1W8IE8Ef-M70HyFAAAAQA [client <IP.IP.IP.IP>] ModSecurity: Warning. Pattern match "(?i:(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\\\s*?\\\\(\\\\s*?space\\\\s*?\\\\(|,.*?[)\\\\da-f\\"'`][\\"'`](?:[\\"'`].*?[\\"'`]|(?:\\\\r?\\\\n)?\\\\z|[^\\"'`]+)|\\\\Wselect.+\\\\W*?from))" at ARGS_NAMES:{"query":"query CacheChangeStream(\\\\n  $resumptionToken: String\\\\n) {\\\\n  cacheChangeStream(resumptionToken: $resumptionToken) {\\\\n    nextResumptionToken\\\\n    __invalidatedCacheDomains: invalidatedCacheDomains {\\\\n      __typename\\\\n      ... on ContentFamilyCacheDomainInvalidation {\\\\n        systemName\\\\n        invalidationId\\\\n        name\\\\n      }\\\\n    }\\\\n  }\\\\n}\\\\n","variables":{"resumptionToken":"236210"}}. [file "/usr/local/apache/conf/modsecurity-crs3/70_rules-crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "736"] [id "942200"] [msg "Detects MySQL comment-/space-obfuscated injections and backtick termination"] [data "Matched Data: ,\\x22variables\\x22:{\\x22resumptionToken\\x22:\\x22236210\\x22}} found within ARGS_NAMES:{\\x22query\\x22:\\x22query CacheChangeStre [hostname "<hostname.domain>"] [uri "/admin/<dir>/<dir>/"] [unique_id "Xle8Xm1W8IE8Ef-M70HyFAAAAQA"]
> 
> This seems to correspond with an audit log entry:
> Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 1<IP.IP.IP.IP>] ModSecurity: Warning. Pattern match "(?i:(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\\\\\\\s*?\\\\\\\\(\\\\\\\\s*?space\\\\\\\\s*?\\\\\\\\(|,.*?[)\\\\\\\\da-f\\\\"'`][\\\\"'`](?:[\\\\"'`].*?[\\\\"'`]|(?:\\\\\\\\r?\\\\\\\\n)?\\\\\\\\z|[^\\\\"'`]+)|\\\\\\\\Wselect.+\\\\\\\\W*?from))" at ARGS_NAMES:{"query":"query CacheChangeStream(\\\\\\\\n  $resumptionToken: String\\\\\\\\n) {\\\\\\\\n  cacheChangeStream(resumptionToken: $resumptionToken) {\\\\\\\\n    nextResumptionToken\\\\\\\\n    __invalidatedCacheDomains: invalidatedCacheDomains {\\\\\\\\n      __typename\\\\\\\\n      ... on ContentFamilyCacheDomainInvalidation {\\\\\\\\n        systemName\\\\\\\\n        invalidationId\\\\\\\\n        name\\\\\\\\n      }\\\\\\\\n    }\\\\\\\\n  }\\\\\\\\n}\\\\\\\\n","variables":{"resumptionToken":"236210"}}. [file "/usr/local/apache/conf/modsecurity-crs3/70_rules-crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "736"] [id "942200"] [msg "Detects MySQL comment-/space-obfuscated injections and backtick termination"] [data "Matched Data: ,\\\\x22variables\\\\x22:{\\\\x22resumptionToken\\\\x22:\\\\x22236210\\\\x22}} found within ARGS_NAMES:{\\\\x22query\\\\x22:\\\\x22query CacheChangeStre [hostname "<hostname.domain>"] [uri "/admin/<dir>/<dir>/"] [unique_id "Xle8Xm1W8IE8Ef-M70HyFAAAAQA"]
> 
> 
> Any insights/suggestions would be appreciated.
> Thanks,
> Paul
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/