Rule 941120: false positive for the Russian language

Description

Caught a false positive on the words “употребляют наркотики”

941120 Matched Data: ;ONB = found within ARGS:json.description: #?>B@51;ONB =0@:>B8:8

ляют н
;ONB =

Audit Logs / Triggered Rule Numbers

"response":{"body":"<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n","http_code":403,"headers":{"Server":"","Server":"","Date":"Fri, 04 Dec 2020 15:21:01 GMT","Content-Length":"146","Content-Type":"text/html","Access-Control-Allow-Origin":"*","Connection":"close","Access-Control-Allow-Credentials":"true","Strict-Transport-Security":"max-age=15724800; includeSubDomains"}},"producer":{"modsecurity":"ModSecurity v3.0.4 (Linux)","connector":"ModSecurity-nginx v1.0.1","secrules_engine":"Enabled","components":["OWASP_CRS/3.3.0\""]},"messages":[{"message":"XSS Filter - Category 2: Event Handler Vector","details":{"match":"Matched \"Operator `Rx' with parameter `(?i)[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on[a-zA-Z]+[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=' against variable `ARGS:json.description' (Value: `\\xd1\\x83\\xd0\\xbf\\xd0\\xbe\\xd1\\x82\\xd1\\x80\\xd0\\xb5\\xd0\\xb1\\xd0\\xbb\\xd1\\x8f\\xd1\\x8e\\xd1\\x82 \\xd0\\xbd\\xd
(61 characters omitted)' )","reference":"o7,6v17,41t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls","ruleId":"941120","file":"/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf","lineNumber":"89","data":"Matched Data: ;ONB = found within ARGS:json.description: C?>B@51;ONB =0@:>B8:8","severity":"2","ver":"OWASP_CRS/3.3.0","rev":"","tags":["application-multi","language-multi","platform-multi","attack-xss","paranoia-level/1","OWASP_CRS","capec/1000/152/242"],"maturity":"0","accuracy":"0"}},{"message":"Inbound Anomaly Score Exceeded (Total Score: 5)","details":{"match":"Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' )","reference":"","ruleId":"949110","file":"/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf","lineNumber":"80","data":"","severity":"2","ver":"OWASP_CRS/3.3.0","rev":"","tags":["application-multi","language-multi","platform-multi","attack-generic"],"maturity":"0","accuracy":"0"}}]}}

Your Environment

• CRS version (e.g., v3.2.0): v3.3.0
• Paranoia level setting: 1
• ModSecurity version (e.g., 2.9.3): v3.0.4
• Image: k8s.gcr.io/ingress-nginx/controller:v0.41.2

Confirmation

[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.