mod-security-developers

[Mod-security-developers] Question about some rules

[Pavel M. <pa...@ne...>]

Hi,
I got lot of false positives on modsecurity-crs_2.2.3 rules 981243, 981244 and 
981248.
They were catching "like" where I think they should not.

Example:
Parameter: passcode=boomlike
Result:
..[id "981243"] [msg "Detects classic SQL injection probings 2/2"] [data 
"like"] [severity "CRITICAL"]..
..[id "981244"] [msg "Detects basic SQL authentication bypass attempts 1/3"] 
[data "like"] [severity "CRITICAL"]..
..[id "981248"] [msg "Detects chained SQL injection attempts 1/2"] [data 
"like"] [severity "CRITICAL"]..

I had to modify them slightly:

rule 981243:
-..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d)..
-..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d)..

rule 981244:
-..\s*x?or|div|like|between|and[\w\s-]+..
+..\s*x?(or|div|like|between|and)[\w\s-]+..

rule 981248:
-..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])..
+..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+])..

Or am I missing something?
-- 
Pavel Mateja

Re: [Mod-security-developers] Question about some rules

[Josh Amishav-Z. <ja...@gm...>]

On Wed, Mar 7, 2012 at 3:23 PM, Pavel Mateja <pa...@ne...> wrote:

>
> I had to modify them slightly:
>
> rule 981243:
> -..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d)..
> -..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d)..
>
> rule 981244:
> -..\s*x?or|div|like|between|and[\w\s-]+..
> +..\s*x?(or|div|like|between|and)[\w\s-]+..
>
> rule 981248:
> -..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])..
> +..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+])..
>
> Or am I missing something?
>

Hi Pavel,

The string 'like' is included to help protect against SQLi attacks. In your
case its obviously a false positive. Having said that, customizing the CRS
itself will make upgrading the ruleset more difficult. It's probably a
better idea to maintain a list of exceptions instead. Take a look at:
http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html

--
 - Josh



> --
> Pavel Mateja
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [Mod-security-developers] Question about some rules

[Pavel M. <pa...@ne...>]

> On Wed, Mar 7, 2012 at 3:23 PM, Pavel Mateja <pa...@ne...> wrote:
> > I had to modify them slightly:
> > 
> > rule 981243:
> > -..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d)..
> > -..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d)..
> > 
> > rule 981244:
> > -..\s*x?or|div|like|between|and[\w\s-]+..
> > +..\s*x?(or|div|like|between|and)[\w\s-]+..
> > 
> > rule 981248:
> > -..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])..
> > +..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+])..
> > 
> > Or am I missing something?
> 
> Hi Pavel,
> 
> The string 'like' is included to help protect against SQLi attacks. In your
> case its obviously a false positive. Having said that, customizing the CRS
> itself will make upgrading the ruleset more difficult. It's probably a
> better idea to maintain a list of exceptions instead. Take a look at:
> http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-e
> xception-handling.html

OK,
let's talk about part of the rule 981248:
(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])
I think this one is for catching strings similar to:
"5 like 8+"
but the rule is positive on any words containing "like" because "|" has not as 
high priority as author thought it has.
The "\s*\d+\s*[\-+]" part is tied to "(x)or" only and "\s*\d+\s*[\-+]" part is 
tied to "and" only.
It's not customizing, it's fixing broken rules from my point of view.
-- 
Pavel Mateja

Re: [Mod-security-developers] Question about some rules

[Ryan B. <RBa...@tr...>]

On 3/7/12 9:33 AM, "Pavel Mateja" <pa...@ne...> wrote:

>> On Wed, Mar 7, 2012 at 3:23 PM, Pavel Mateja <pa...@ne...> wrote:
>> > I had to modify them slightly:
>> >
>> > rule 981243:
>> > -..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d)..
>> > -..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d)..
>> >
>> > rule 981244:
>> > -..\s*x?or|div|like|between|and[\w\s-]+..
>> > +..\s*x?(or|div|like|between|and)[\w\s-]+..
>> >
>> > rule 981248:
>> > -..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])..
>> > +..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+])..
>> >
>> > Or am I missing something?
>>
>> Hi Pavel,
>>
>> The string 'like' is included to help protect against SQLi attacks. In
>>your
>> case its obviously a false positive. Having said that, customizing the
>>CRS
>> itself will make upgrading the ruleset more difficult. It's probably a
>> better idea to maintain a list of exceptions instead. Take a look at:
>>
>>http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week
>>-e
>> xception-handling.html
>
>OK,
>let's talk about part of the rule 981248:
>(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])
>I think this one is for catching strings similar to:
>"5 like 8+"
>but the rule is positive on any words containing "like" because "|" has
>not as
>high priority as author thought it has.
>The "\s*\d+\s*[\-+]" part is tied to "(x)or" only and "\s*\d+\s*[\-+]"
>part is
>tied to "and" only.
>It's not customizing, it's fixing broken rules from my point of view.
>--
>Pavel Mateja

You are correct, the issue was with the regex.  We will be fixing it.

-Ryan


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] Question about some rules

[Ryan B. <RBa...@tr...>]

Pavel,
You are correct.  I was just looking at this regexs myself and found the
same issue.  Since the ) was missing, it wasn't grouping properly.  I will
fix this issue.

As a side note - this is an OWASP ModSecurity CRS issue and we have a
separate mail-list for that -
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Thanks.

ModSecurity--
Ryan Barnett
Trustwave SpiderLabsModSecurity Project Leader
OWASP ModSecurity CRS Project Leader




On 3/7/12 8:23 AM, "Pavel Mateja" <pa...@ne...> wrote:

>Hi,
>I got lot of false positives on modsecurity-crs_2.2.3 rules 981243,
>981244 and
>981248.
>They were catching "like" where I think they should not.
>
>Example:
>Parameter: passcode=boomlike
>Result:
>..[id "981243"] [msg "Detects classic SQL injection probings 2/2"] [data
>"like"] [severity "CRITICAL"]..
>..[id "981244"] [msg "Detects basic SQL authentication bypass attempts
>1/3"]
>[data "like"] [severity "CRITICAL"]..
>..[id "981248"] [msg "Detects chained SQL injection attempts 1/2"] [data
>"like"] [severity "CRITICAL"]..
>
>I had to modify them slightly:
>
>rule 981243:
>-..\s*x?or|div|like|between|and\s[^\d]+[\w-]+.*\d)..
>-..\s*(x?or|div|like|between|and)\s[^\d]+[\w-]+.*\d)..
>
>rule 981244:
>-..\s*x?or|div|like|between|and[\w\s-]+..
>+..\s*x?(or|div|like|between|and)[\w\s-]+..
>
>rule 981248:
>-..(?:\d+\s*x?or|div|like|between|and\s*\d+\s*[\-+])..
>+..(?:\d+\s*(x?or|div|like|between|and)\s*\d+\s*[\-+])..
>
>Or am I missing something?
>--
>Pavel Mateja
>
>--------------------------------------------------------------------------
>----
>Virtualization & Cloud Management Using Capacity Planning
>Cloud computing makes use of virtualization - but cloud computing
>also focuses on allowing computing to be delivered as a service.
>http://www.accelacomm.com/jaw/sfnl/114/51521223/
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php
>


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] Question about some rules

[Pavel M. <pa...@ne...>]

> Pavel,
> You are correct.  I was just looking at this regexs myself and found the
> same issue.  Since the ) was missing, it wasn't grouping properly.  I will
> fix this issue.
> 
> As a side note - this is an OWASP ModSecurity CRS issue and we have a
> separate mail-list for that -
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

I didn't know that.
Sorry.
-- 
Pavel Mateja