Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False Positive: SLQI 942360 block too sensitive

See original GitHub issue

Description

Seems like it just does not like the word select in a sentence, threat detection not very good in this case seeing regular uses of the word in a sentence vs SQLI. Did check 3.3 changelog and don’t see anything in it that would have corrected this case I don’t think.

[file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "464"] [id "942360"] [rev ""] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"]

Audit Logs / Triggered Rule Numbers

JSON Body:

{
  "kind": "notification",
  "body": {
    "message": "Scroll down to the forms and resources section of the page and expand other resources.\n4. Select Medicare Plan Appeals and Grievances form online\n5. Select start new form.",
    "contentType": "text/plain"
  }
}

[data "Matched Data: 4. Select found within ARGS:json.body.message: Scroll down to the forms and resources section of the page and expand other resources.\n4. Select Medicare Plan Appeals and Grievances form online\n5. Select start new form."] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]

Your Environment

CRS version (e.g., v3.2.0): 3.2.0
Paranoia level setting: 1
ModSecurity version: 3.0.4
Web Server and version: nginx
Operating System and version: alpine linux

Confirmation

[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

Issue Analytics

State:
Created 2 years ago
Comments:6 (6 by maintainers)

Top GitHub Comments

2reactions

dune73commented, Nov 18, 2021

Hey @jeremyjpj0916, good to see you around.

I have good news: This FP is already fixed in dev. I’m thus closing this here.

I checked on 3.3.2 as well; there it is present.

1reaction

airweencommented, Nov 18, 2021

@airween Long time no see friend!

😃

Yep thats what I ended up doing, just wish the rules could be better written to avoid false positives

this regex has built, not “written”: see 942360.data, and the instructions.

That’s why we can’t “write” other than there is.

# false positive on Select phrase in a sentence.
SecRule REQUEST_URI "@contains /api-resource/v" \
    "id:44,\
    phase:1,\
    t:none,\
    pass,\
    nolog,\
    ctl:ruleRemoveById=942360"

IMHO using of ctl:ruleRemoveTargetById=942360;ARGS:json.body.message makes tighter exclusion.

Top Results From Across the Web

Rule 942360 false-positive on Keyword alter #997 - GitHub

False Positive because of the keyword: alter (from SQL) /modsecurity-crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "81"] [id ...

How to tune your WAF installation to reduce false positives

The fear of blocking legitimate users due to false positives ... 402 942260 Detects basic SQL authentication bypass attempts 2/3 445 942410 ...

False Positives and Tuning :: Core Rule Set Documentation

False positives need to be tuned away by writing rule exclusions, ... as a result, the request causes a false positive and may...

Tune Google Cloud Armor preconfigured WAF rules

A lower sensitivity level indicates higher confidence signatures, which are less likely to generate a false positive. A higher sensitivity level increases ...

Protections for Web Application Firewall - Oracle Help Center

Capability Key Version Name 943120 1 Session Fixation No Referer in SessionID 943110 1 Session Fixation Off‑Domain Referer in SessionID 943100 1 Session Fixation cookie in...