mod-security-report-false-positives Mailing List for ModSecurity
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-report-false-positives — List is only for reporting false positives with rules
You can subscribe to this list here.
| 2012 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2016 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: WHK <yan...@gm...> - 2016-04-05 18:23:43
|
The simplemachines system: http://download.simplemachines.org/ The false positive in cookies: SecRuleUpdateTargetById 981172 "!REQUEST_COOKIES:smf_session_data" But new false positive: [Tue Apr 05 15:01:25.067849 2016] [:error] [pid 26326] [client 190.101.13.170] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:admin_pass. [file "/home/androidlatinos/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: ********** found within ARGS:admin_pass: **********"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [hostname "androidlatinos.com"] [uri "/index.php"] [unique_id "VwP9dRs57cRZtOmSKcwYtwAAABs"] |
|
From: Ryan B. <RBa...@tr...> - 2012-10-29 22:33:23
|
Hey Ben, Do you have control of the ModSecurity rule configs or is this an issue on another site? If it is the former, you may want to add an exception for that rule so that it doesn't trigger on that parameter value. See steps here - http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html If that does not work well enough for you, you might consider disabling that rule entirely with – SecRuleRemovebyId 950911 We currently have two rules for HTTP Response Splitting Attacks and 950910 is actually stronger. Hope this helps. -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader From: Ben Marks <be...@bl...<mailto:be...@bl...>> Date: Monday, October 29, 2012 4:38 PM To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: [Mod-security-report-false-positives] Field submitted with both http and meta tag triggers false positive Ref: https://twitter.com/benmarks/status/262957887192715265/photo/1/large For the rule (?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b), any submitted data with the basic pattern... https <meta ...will trigger a positive result. Based on the generality of the regex involved, I'm not sure there is a way around this issue, but here's the business use: in Magento, and likely in other Web apps with CMS or CMS apps, there is a field for adding miscellaneous content to the <head>. It is not uncommon for admin users of the GUI to add Google site verification meta or possibly other HTML meta data using this field, along with miscellaneous third-party javascript sources. Please let me know if more information is needed or if I have missed any requirements necessary for this list. Regards, Ben Marks Senior Developer, Blue Acorn http://www.blueacorn.com Instructor, Magento U http://www.magentocommerce.com/services/training ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
|
From: Ben M. <be...@bl...> - 2012-10-29 20:39:05
|
Ref: https://twitter.com/benmarks/status/262957887192715265/photo/1/large For the rule (?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b), any submitted data with the basic pattern... https <meta ...will trigger a positive result. Based on the generality of the regex involved, I'm not sure there is a way around this issue, but here's the business use: in Magento, and likely in other Web apps with CMS or CMS apps, there is a field for adding miscellaneous content to the <head>. It is not uncommon for admin users of the GUI to add Google site verification meta or possibly other HTML meta data using this field, along with miscellaneous third-party javascript sources. Please let me know if more information is needed or if I have missed any requirements necessary for this list. Regards, Ben Marks Senior Developer, Blue Acorn http://www.blueacorn.com Instructor, Magento U http://www.magentocommerce.com/services/training |
|
From: Ryan B. <RBa...@tr...> - 2012-02-13 18:07:18
|
There is a page on our website called Individual... ModSecurity is generating a false positive because the page name contains the word div, I have included the logs below. Is there any way to exclude a parameter from a rule if it contains a certain text string.
I know this wont work but it is an example of what I am trying to do : SecRuleUpdateTargetById 981244 !ARGS:pageType "@contains div".
Message: Warning. Pattern match "(?i:(?:\\d(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+\\d)|(?:^admin\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)|(\\/\\*)+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+\\s?(?:--|#|\\/\\*|{)?)|(?:(\"|'| ..." at ARGS:pageType. [file "/etc/apache2/modsecurity_crs/modsecurity_crs_41_sql_injection_attacks.conf"] [line "533"] [id "981244"] [msg "Detects basic SQL authentication bypass attempts 1/3"] [data "div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
Message: Warning. Pattern match "(?i:(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*\\*.+(?:x?or|div|like|between|and|id)\\W*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\d)|(?:\\^(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98))|(?:^[\\w\\s(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)-]+( ..." at ARGS:pageType. [file "/etc/apache2/modsecurity_crs/modsecurity_crs_41_sql_injection_attacks.conf"] [line "573"] [id "981243"] [msg "Detects classic SQL injection probings 2/2"] [data "div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity_crs/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 13, SQLi=, XSS=): 981243-Detects classic SQL injection probings 2/2"]
Apache-Handler: proxy-server
Stopwatch: 1326169975607617 51819 (- - -)
Stopwatch2: 1326169975607617 51819; combined=4777, p1=174, p2=4443, p3=1, p4=59, p5=100, sr=45, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.0 (http://www.modsecurity.org/); core ruleset/2.2.3.
Server: Apache/2.2.17 (
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
|
