Grafana: query range treated as SQLi using libinjection

Description

I plan to implement WAF using ModSec + CRS, but until now i still run in DetectionOnly mode to make sure my normal production traffic is fine and make sure there is no false positive detection. During i running modsec in DetectionOnly i got many false positive detection and fix it by customizing crs-setup.conf to reduce false positive detection, except this false positive detection produced by grafana apps. So, i need help how to solve this.

Request / Response

i provide this because i can’t find it in modsec log, and i think it can be useful

Request (Form Data)

query: ((node_memory_SwapTotal_bytes{instance="10.240.20.10:9100",job="node-apps"}+-+node_memory_SwapFree_bytes{instance="10.240.20.10:9100",job="node-apps"})+/+(node_memory_SwapTotal_bytes{instance="10.240.20.10:9100",job="node-apps"}+))+*+100
start: 1623226500
end: 1623312900
step: 300

Response (Truncated)

{"status":"success","data":{"resultType":"matrix","result":[{"metric":{"instance":"10.240.20.10:9100","job":"node-apps"},"values":[[1623226500,"NaN"],[1623226800,"NaN"],[1623227100,"NaN"],[1623227400,"NaN"],[1623227700,"NaN"],[1623228000,"NaN"], ... [1623311100,"NaN"],[1623311400,"NaN"],[1623311700,"NaN"],[1623312000,"NaN"],[1623312300,"NaN"],[1623312600,"NaN"],[1623312900,"NaN"]]}]}}

Audit Logs / Triggered Rule Numbers

---HtKCF5ov---A--
[10/Jun/2021:15:15:07 +0700] 1623312907 192.168.11.2 41898 10.240.20.80 443
---HtKCF5ov---B--
POST /api/datasources/proxy/1/api/v1/query_range HTTP/2.0
origin: https://grafana.example.com
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36
sec-gpc: 1
sec-fetch-site: same-origin
content-type: application/x-www-form-urlencoded
x-grafana-org-id: 1
accept-encoding: gzip, deflate, br
cookie: grafana_session=340efd9aca0422adf101691e898e8486
x-panel-id: 152
accept: application/json, text/plain, */*
x-dashboard-id: 2
content-length: 315
host: grafana.example.com
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://grafana.example.com/d/rYdddlPWk/node-exporter-full?orgId=1&refresh=1m
accept-language: en-US,en;q=0.9

---HtKCF5ov---D--

---HtKCF5ov---F--
HTTP/2.0 200
Server: nginx
Date: Thu, 10 Jun 2021 08:15:07 GMT
Content-Type: application/json
X-Content-Type-Options: nosniff
Connection: close
X-Xss-Protection: 1; mode=block
Content-Encoding: gzip
X-Frame-Options: deny

---HtKCF5ov---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "45"] [id "942100"] [rev ""] [msg ""] [data ""] [severity "0"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [hostname "10.240.20.80"] [uri "/api/datasources/proxy/1/api/v1/query_range"] [unique_id "1623312907"] [ref "v728,198"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.240.20.80"] [uri "/api/datasources/proxy/1/api/v1/query_range"] [unique_id "1623312907"] [ref ""]

---HtKCF5ov---I--

---HtKCF5ov---J--

---HtKCF5ov---Z--

Your Environment

• Grafana version: Version 7.5.2 (commit: ca413c612f, branch: HEAD)
• CRS version (e.g., v3.2.0): v3.3.0
• Paranoia level setting: Default
• ModSecurity version: 3.0.4
• Web Server and version (e.g., apache 2.4.41): nginx 1.16.1
• Operating System and version: Centos 7

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.