Rule Id: 932150 false positive on time keyword

Description

Request “/api/v1/query?q=time+warner”, “GET”, “1.1” returned 403.

Rule Id: 932150 phase: 2

• Match, but no disruptive action: ModSecurity: Warning. Matched "Operator Rx' with parameter (?:^|=)\s*(?:{|\s*(\s*|\w+=(?:[^\s]|$.|$.|<.|>.|'.'|".")\s+|!\s|$)\s(?:‘|")(?:[?*[]()-|+\w’"./\\]+/)?[\\'"](?:l[\\’"](?😒(?:[\\'"](?:b[\\‘"]*_[\\’"]*r (6252 characters omitted)’ against variable ARGS:q' (Value: time warner’ ) [file “/opt/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf”] [line “444”] [id “932150”] [rev “”] [msg “Remote Command Execution: Direct Unix Command Execution”] [data “Matched Data: time found within ARGS:q: time warner”] [severity “2”] [ver “OWASP_CRS/3.3.0”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-shell”] [tag “platform-unix”] [tag “attack-rce”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/152/248/88”] [tag “PCI/6.5.2”] [hostname “”] [uri “/api/v1/query”] [unique_id “161670536857.434291”] [ref “o0,5v20,11”]

Log: [client ] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5’ against variable TX:ANOMALY_SCORE' (Value: 5’ ) [file “/opt/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “138”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “OWASP_CRS/3.3.0”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “”] [uri “/api/v1/query”] [unique_id “161670536857.434291”] [ref “”] Intervention, returning code: 403

Your Environment

• CRS version: default v3.4/dev
• Paranoia level setting:
• ModSecurity version : 3.0.4
• Web Server and version :
• Operating System and version: Amazon Linux 2

Confirmation

[x ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.