Rule: 942370: False positive 0202 - reopened

Description [2021-08-05 10:19:57.] [-:error] ******* ***** [client ***.**.**.**] ModSecurity: Warning. Pattern match "(?i:[\\"'`](?:\\\\s*?(?:(?:\\\\*.+(?:(?:an|i)d|between|like|x?or|div)\\\\W*?[\\"'`]|(?:between|like|x?or|and|div)\\\\s[^\\\\d]+[\\\\w-]+.*?)\\\\d|[^\\\\w\\\\s?]+\\\\s*?[^\\\\w\\\\s]+\\\\s*?[\\"'`]|[^\\\\w\\\\s]+\\\\s*?[\\\\W\\\\d].*?(?:--|#))|.*?\\\\*\\\\s*?\\\\d)|[()\\\\*<>%+-][\\\\w-]+[^\\\\w\\\\s]+[\\" ..." at ARGS:fq. [file ****/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "994"] [id "942370"] [msg "Detects classic SQL injection probings 2/3"] [data "Matched Data: (siteName:\\x22T found within ARGS:fq: (siteName:\\x22TEST- -2-2\\x22)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "****"] [uri ***/"] [unique_id "***"]

Audit Logs / Triggered Rule Numbers Your Environment CRS version (e.g., v3.2.0): Paranoia level setting: 1 ModSecurity version (e.g., 2.9.3): Web Server and version (e.g., httpd 2.4.41): Operating System and version: RHEL 7.9

Confirmation [ ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

Hi Guys,

I have enabled the paranoia-level =2 and getting the above false positive when I access the “sites” tab in my website, Could you please suggest the fix or any alterations in the rule to fix the issue?

Fix has been given in https://github.com/coreruleset/coreruleset/issues/2173

But the fix seems to be not accepted by project people, Could you please provide an alternate solution, that our security team is not accepting that we allow the WAF to work with an single argument (q), They are expecting that it may affect the WAF. So you have any alternate suggestion on this? Also there is any possibilities that we can check what has been blocked?