Rule: 942370: False positive 0202 - reopened
See original GitHub issueDescription
[2021-08-05 10:19:57.] [-:error] ******* ***** [client ***.**.**.**] ModSecurity: Warning. Pattern match "(?i:[\\"'`](?:\\\\s*?(?:(?:\\\\*.+(?:(?:an|i)d|between|like|x?or|div)\\\\W*?[\\"'`]|(?:between|like|x?or|and|div)\\\\s[^\\\\d]+[\\\\w-]+.*?)\\\\d|[^\\\\w\\\\s?]+\\\\s*?[^\\\\w\\\\s]+\\\\s*?[\\"'`]|[^\\\\w\\\\s]+\\\\s*?[\\\\W\\\\d].*?(?:--|#))|.*?\\\\*\\\\s*?\\\\d)|[()\\\\*<>%+-][\\\\w-]+[^\\\\w\\\\s]+[\\" ..." at ARGS:fq. [file ****/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "994"] [id "942370"] [msg "Detects classic SQL injection probings 2/3"] [data "Matched Data: (siteName:\\x22T found within ARGS:fq: (siteName:\\x22TEST- -2-2\\x22)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "****"] [uri ***/"] [unique_id "***"]
Audit Logs / Triggered Rule Numbers Your Environment CRS version (e.g., v3.2.0): Paranoia level setting: 1 ModSecurity version (e.g., 2.9.3): Web Server and version (e.g., httpd 2.4.41): Operating System and version: RHEL 7.9
Confirmation [ ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
Hi Guys,
I have enabled the paranoia-level =2 and getting the above false positive when I access the “sites” tab in my website, Could you please suggest the fix or any alterations in the rule to fix the issue?
Fix has been given in https://github.com/coreruleset/coreruleset/issues/2173
But the fix seems to be not accepted by project people, Could you please provide an alternate solution, that our security team is not accepting that we allow the WAF to work with an single argument (q), They are expecting that it may affect the WAF. So you have any alternate suggestion on this? Also there is any possibilities that we can check what has been blocked?
Issue Analytics
- State:
- Created 2 years ago
- Comments:55 (23 by maintainers)
Top GitHub Comments
@Shajin02 Hi, that won’t work exactly as you wrote it. First, try to always embed the code part using three backticks, otherwise it is harder to read 😄
id
in both rules.SecRule
s should use the same REQUEST_FILENAME probably.ctl:ruleRemoveTargetById=942130;ARGS:<the matched argument>
together (separated by commas).Regarding what the waf is blocking, it is blocking the function call
cos()
, that can be used in SQL Injections.Per https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#contains, you only need a string. If you add a string, it should work.
Let me be honest with you: this looks very much like a case that you need to read more documentation. 😄
This is not a problem with CRS, just a problem with your particular install/usage.
If you need additional help (e.g. “I don’t know how to write rules/exceptions”), there are different channels to use for this than the official issue tracker 😃
Closing.