question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Rule: 942370: False positive 0202 - reopened

See original GitHub issue

Description [2021-08-05 10:19:57.] [-:error] ******* ***** [client ***.**.**.**] ModSecurity: Warning. Pattern match "(?i:[\\"'`](?:\\\\s*?(?:(?:\\\\*.+(?:(?:an|i)d|between|like|x?or|div)\\\\W*?[\\"'`]|(?:between|like|x?or|and|div)\\\\s[^\\\\d]+[\\\\w-]+.*?)\\\\d|[^\\\\w\\\\s?]+\\\\s*?[^\\\\w\\\\s]+\\\\s*?[\\"'`]|[^\\\\w\\\\s]+\\\\s*?[\\\\W\\\\d].*?(?:--|#))|.*?\\\\*\\\\s*?\\\\d)|[()\\\\*<>%+-][\\\\w-]+[^\\\\w\\\\s]+[\\" ..." at ARGS:fq. [file ****/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "994"] [id "942370"] [msg "Detects classic SQL injection probings 2/3"] [data "Matched Data: (siteName:\\x22T found within ARGS:fq: (siteName:\\x22TEST- -2-2\\x22)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "****"] [uri ***/"] [unique_id "***"]

Audit Logs / Triggered Rule Numbers Your Environment CRS version (e.g., v3.2.0): Paranoia level setting: 1 ModSecurity version (e.g., 2.9.3): Web Server and version (e.g., httpd 2.4.41): Operating System and version: RHEL 7.9

Confirmation [ ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

Hi Guys,

I have enabled the paranoia-level =2 and getting the above false positive when I access the “sites” tab in my website, Could you please suggest the fix or any alterations in the rule to fix the issue?

Fix has been given in https://github.com/coreruleset/coreruleset/issues/2173

But the fix seems to be not accepted by project people, Could you please provide an alternate solution, that our security team is not accepting that we allow the WAF to work with an single argument (q), They are expecting that it may affect the WAF. So you have any alternate suggestion on this? Also there is any possibilities that we can check what has been blocked?

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:55 (23 by maintainers)

github_iconTop GitHub Comments

1reaction
fzipicommented, Sep 1, 2021

@Shajin02 Hi, that won’t work exactly as you wrote it. First, try to always embed the code part using three backticks, otherwise it is harder to read 😄

  1. you are using the same id in both rules.
  2. both SecRules should use the same REQUEST_FILENAME probably.
  3. In fact, you can write everything in one SecRule. Just add all the ctl:ruleRemoveTargetById=942130;ARGS:<the matched argument> together (separated by commas).

Regarding what the waf is blocking, it is blocking the function call cos(), that can be used in SQL Injections.

0reactions
fzipicommented, Sep 1, 2021

Per https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#contains, you only need a string. If you add a string, it should work.

Let me be honest with you: this looks very much like a case that you need to read more documentation. 😄

This is not a problem with CRS, just a problem with your particular install/usage.

If you need additional help (e.g. “I don’t know how to write rules/exceptions”), there are different channels to use for this than the official issue tracker 😃

Closing.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Rule 942360 false-positive on Keyword alter #997 - GitHub
So this is a very similar case to #988. It is unfortunate that "Alter" is a German word (here), but the whole group...
Read more >
Most Frequent False Positives Triggered by OWASP ... - netnea
Rule ID Description / Message False Positives Frequency 950001 SQL Injection Attack frequent false positives 950002 System Command Access few false positives 950005 Remote File Access...
Read more >
How to tune your WAF installation to reduce false positives
Optimizing your NGINX setup with a tuned ModSecurity / Core Rule Set ... This article will help you reduce false positives on NGINX, ......
Read more >
Modsecurity: Excessive false positives - Stack Overflow
I'm using the OWASP ModSecurity Core Rule Set (CRS), essentially "out of the box". I'm running in "self-contained" (traditional) mode rather ...
Read more >
AutoComplete triggers false positive WAF rules on Azure Front ...
Forum Thread - AutoComplete triggers false positive WAF rules on Azure Front ... Rule ID 942370 - Detects classic SQL injection probings 2/3....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found