[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: Re: [mod-security-users] False Positives
From: <Tim.Einmahl () kba ! de>
Date: 2015-01-20 8:40:17
Message-ID: 12A8CAEFF3AB0248AC1816BABFF590340BEFD466 () NTCL0301 ! kba ! de
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hi Christian,
good idea! It works.
Thanks a lot.
Regards
Tim
Von: Christian Folini [mailto:christian.folini@time-machine.ch]
Gesendet: Montag, 19. Januar 2015 14:19
An: mod-security-users@lists.sourceforge.net
Betreff: Re: [mod-security-users] False Positives
Hi Tim,
Given the arbitrary pattern of the totok parameter, I would use a whitelist approach \
for that parameter and then skip the rule.
SecRule ARGS:totok "!^[a-z0-9-]{num-of-characters}$" "...deny..."
SecRuleUpdateTargetById 981173 "!ARGS:totok"
Regs,
Christian
Tim.Einmahl@kba.de<mailto:Tim.Einmahl@kba.de> , 1/19/2015 1:01 PM:
Hi all,
I am getting false positives for some ARGS.
For example:
Message: Warning. Pattern match \
"([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe \
2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}<file:///\\)\-\+\=\%7b\%7d\%5b\%5d\|\:\;\%22\'\xc2\xb4\xe2\x80\x99\xe2\x80\x98\%60\%3c\%3e%5d.*%3f)%7b4,%7d>" \
at ARGS:toktok. [file \
"/etc/modsecurity/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] \
[line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection \
Alert - Total # of special characters exceeded"] [data "Matched Data: - found within \
ARGS:toktok: a197f274-75c5-4865-af35-913948618a35"] [ver "OWASP_CRS/2.2.9"] [maturity \
"9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file \
"/etc/modsecurity/crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line \
"33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=1, \
XSS=): Restricted SQL Character Anomaly Detection Alert - Total # of special \
characters exceeded"]
I know I can use SecRuleUpdateTargetById to exclude the ARG "toktok" from being \
analysed by this rule, but I don't think that this is ideal, because it would disable \
the whole rule for the ARG "toktok".
IMHO a better approach would be to tell modsecurity to allow those 4 "-" but still \
test ARG "toktok" against the rule (it could contain other special characters send by \
an attacker which should be catched).
Is this possible with modsecurity?
Thanks in advance
Tim
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net<mailto:mod-security-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:Consolas;}
span.clickable
{mso-style-name:clickable;}
span.E-MailFormatvorlage20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi \
Christian,<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">good \
idea! It works.<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks \
a lot.<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Von:</span></b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> \
Christian Folini [mailto:christian.folini@time-machine.ch] <br>
<b>Gesendet:</b> Montag, 19. Januar 2015 14:19<br>
<b>An:</b> mod-security-users@lists.sourceforge.net<br>
<b>Betreff:</b> Re: [mod-security-users] False Positives<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Tim,<br>
<br>
Given the arbitrary pattern of the totok parameter, I would use a whitelist approach \
for that parameter and then skip the rule.<br> <br>
<span style="font-size:10.0pt">SecRule ARGS:totok \
"!^[a-z0-9-]{num-of-characters}$" \
"...deny..."</span><o:p></o:p></p> <pre>SecRuleUpdateTargetById 981173 \
"!ARGS:totok"<o:p></o:p></pre> <p class="MsoNormal" \
style="margin-bottom:12.0pt"><br> Regs,<br>
<br>
Christian<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal"><span class="clickable"><a \
href="mailto:Tim.Einmahl@kba.de">Tim.Einmahl@kba.de</a></span> , 1/19/2015 1:01 \
PM:<o:p></o:p></p> <p class="MsoNormal">Hi all, <br>
<br>
I am getting false positives for some ARGS. <br>
<br>
For example: <br>
<br>
Message: Warning. Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(<a \
href="file:///\\)\-\+\=\%7b\%7d\%5b\%5d\|\:\;\%22\'\xc2\xb4\xe2\x80\x99\xe2\x80\x9 \
8\%60\%3c\%3e%5d.*%3f)%7b4,%7d">\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}</a>"
at ARGS:toktok. [file \
"/etc/modsecurity/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] \
[line "159"] [id "981173"] [rev "2"] [msg \
"Restricted SQL Character Anomaly Detection Alert - Total # of special \
characters exceeded"] [data "Matched Data: - found within ARGS:toktok: \
a197f274-75c5-4865-af35-913948618a35"] [ver "OWASP_CRS/2.2.9"] \
[maturity "9"] [accuracy "8"] [tag \
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] <br>
Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file \
"/etc/modsecurity/crs/activated_rules/modsecurity_crs_60_correlation.conf"] \
[line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total \
Inbound Score: 3, SQLi=1, XSS=): Restricted SQL Character Anomaly Detection Alert - \
Total # of special characters exceeded"] <br> <br>
<br>
I know I can use SecRuleUpdateTargetById to exclude the ARG "toktok" from \
being analysed by this rule, but I don't think that this is ideal, because it would \
disable the whole rule for the ARG "toktok". <br>
<br>
IMHO a better approach would be to tell modsecurity to allow those 4 "-" \
but still test ARG "toktok" against the rule (it could contain other \
special characters send by an attacker which should be catched). <br>
<br>
Is this possible with modsecurity? <br>
<br>
Thanks in advance <br>
<br>
Tim <br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
------------------------------------------------------------------------------ <br>
New Year. New Location. New Benefits. New Data Center in Ashburn, VA. <br>
GigeNET is offering a free month of service with a new server in Ashburn. <br>
Choose from 2 high performing configs, both with 100TB of bandwidth. <br>
Higher redundancy.Lower latency.Increased capacity.Completely compliant. <br>
<a href="http://p.sf.net/sfu/gigenet" target="_blank" \
title="http://p.sf.net/sfu/gigenet">http://p.sf.net/sfu/gigenet</a> <br>
_______________________________________________ <br>
mod-security-users mailing list <br>
<a href="mailto:mod-security-users@lists.sourceforge.net" \
title="mailto:mod-security-users@lists.sourceforge.net">mod-security-users@lists.sourceforge.net</a>
<br>
<a href="https://lists.sourceforge.net/lists/listinfo/mod-security-users" \
target="_blank" title="https://lists.sourceforge.net/lists/listinfo/mod-security-users">https://lists.sourceforge.net/lists/listinfo/mod-security-users</a>
<br>
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: <br>
<a href="http://www.modsecurity.org/projects/commercial/rules/" target="_blank" \
title="http://www.modsecurity.org/projects/commercial/rules/">http://www.modsecurity.org/projects/commercial/rules/</a>
<br>
<a href="http://www.modsecurity.org/projects/commercial/support/" target="_blank" \
title="http://www.modsecurity.org/projects/commercial/support/">http://www.modsecurity.org/projects/commercial/support/</a>
<o:p></o:p></p>
</div>
</div>
</body>
</html>
[Attachment #4 (--===============8794264865223601516==)]
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic