Modsecurity false positives encoding

victoria123

• March 23, 2016 07:31

Hello, I have tried today to make the modsecurity work in my server, but I found that it was giving a huge amount of false positives. First, most of them were because of rule 981257 I deactivated that rule, and then I found more and more false positives. This time rules 981204 and 981243 Just entering one inner page of a website the modsecurity blocks you. It seems to be related with enconding. This post seems to show the problem non ascii characters causing false positives with different languages " Issue #21 " SpiderLabs/owasp-modsecurity-crs " GitHub the websites are spanish websites, and it seems to be related with that. As that post is a little old, I am not sure what I have to do to configure the modsec to change this configuration. What do I have to do to avoid this problem? If you could tell me step by step how to do it, I would appreciate it. :)
981243 - detects classic sql injection probings 2/2 Pattern match "(?i:(?:[\"'`]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`]\\d)|(?:\\^[\"'`])|(?:^[\\w\\s\"'`-]+(?<=and\\s)(?<=or|xor|div|like|between|and\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:[\"'`][\\s\\d]*?[^\\w\\s]+\\W*?\\d\ ..." at REQUEST_COOKIES:ci_session. 981257 - Detects MySQL comment-/space-obfuscated injections and backtick termination SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\Z|[^\"'`]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())" "phase:request, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'8', capture, t:none,t:urlDecodeUni, block, msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination', id:'981257', tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', severity:'CRITICAL', setvar:'tx.msg=%{rule.msg}', setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

• 

  cPanelMichael

  • March 23, 2016 22:17

  Hello :) We have a document on the OWASP rules at: OWASP ModSecurity CRS - cPanel Knowledge Base - cPanel Documentation You can also search for the term "owasp" on our forums to see other threads related to this ruelset. Thank you.

  0
• 

  quizknows

  • March 23, 2016 23:30

  There is generally a period of customization for anyone using a rule set as big as the OWASP rules. You will probably have to keep fine tuning and disabling rules that do not work for you. Usually once you "weed out" the few rules that block your legitimate activities you are in pretty good shape. Unfortunately the OWASP rules are not "one size fits all." You have to take the time to turn off rules that cause you problems. This is why they are so hard to implement properly on a server that is already in production.

  0

Please sign in to leave a comment.