FPs with Cloudflare proxy and paranoia 4

Description

Proxying the website with Cloudflare on paranoia level 4 create some FPs.

1. The header CF-Visitor: {“scheme”:“https”} is appended and gets FP because of the {}.
2. Some cookie stuff I didn’t actually understand

Note that this is paranoia level 4 so it’s kind of normal to have these FPs. Still, it would be useful to handle this headers better or to exclude them completely (?)

Audit Logs / Triggered Rule Numbers

920274 and 942421

ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `32,34,38,42-59,61,65-90,95,97-122' against variable `REQUEST_HEADERS:CF-Visitor' (Value: `{"scheme":"https"}' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1562"] [id "920274"] [rev ""] [msg "Invalid character in request headers (outside of very strict set)"] [data "REQUEST_HEADERS:CF-Visitor={"scheme":"https"}"] [severity "2"] [ver "OWASP_CRS/3.4.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "paranoia-level/4"] [hostname "192.168.1.4"] [uri "/favicon.ico"] [unique_id "1623054007"] [ref "o0,1o17,1v210,18t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){3})' against variable `REQUEST_COOKIES:cf_clearance' (Value: `redactedhexstring144-1622108318-0-150' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1598"] [id "942421"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)"] [data "Matched Data: -1622108318-0- found within REQUEST_COOKIES:cf_clearance: redactedhexstring144-1622108318-0-150"] [severity "4"] [ver "OWASP_CRS/3.4.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/4"] [hostname "192.168.1.4"] [uri "/favicon.ico"] [unique_id "1623054007"] [ref "o40,14o40,14v770,57t:urlDecodeUni"]

Your Environment

• CRS version : last commit
• Paranoia level setting: 4
• ModSecurity version : latest (3.0.4)
• Web Server and version (e.g., nginx/1.14.2):
• Operating System and version: debian buster arm64

Confirmation

I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.