Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Sandbox is wrong about in which PL a payload would be detected.

See original GitHub issue

Describe the bug

More a minor / cosmetic problem.

Sending a request against the sandbox with

#!/usr/bin/env python3

import json
import requests

URL = "https://sandbox.coreruleset.org/"

message = {}

headers = {
    "X-Backend": "nginx",
    "X-CRS-Paranoia-Level": "2",
    "X-Format-Output": "txt-matched-rules-extended",
}
response = requests.get(URL, headers=headers)
print(response.text)

results in

This payload has been tested against the OWASP ModSecurity Core Rule Set 
web application firewall. The test was executed using the nginx engine and CRS version 3.3.2.

The payload is being detected by triggering the following rules:

913101 PL2 Found User-Agent associated with scripting/generic HTTP client
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)

CRS therefore detects this payload starting with paranoia level 1.

I think the last sentence is wrong.

While there is a PL1 rule in the log, it is only the anomaly score rule. The rule which detects the payload is only in paranoia level 2. So in PL1, the payload would not be detected.

Issue Analytics

State:
Created a year ago
Comments:11 (7 by maintainers)

Top GitHub Comments

1reaction

mirkodziadzka-avicommented, Jul 28, 2022

@fzipi Seems to work fine and as expected. Thank You.

0reactions

fzipicommented, Jul 28, 2022

Thanks for filing this! Closing now.

Top Results From Across the Web

Windows Analysis Report payload.exe - Joe Sandbox

Detected potential crypto function. PE / OLE file has an invalid certificate. Contains functionality to dynamically determine API calls.

Viewing online file analysis results for 'PAYLOAD'

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

Analyzing Metasploit Payloads - Hatching.io

Automated malware analysis with Hatching Triage, the high-volume sandbox solution for SOCs, CERTs, SOARs, and MSSPs.

RT_FIL_09 : Invalid API Payload - Google Groups

We are getting error as RT_FIL_09 : Invalid API Payload while filing GSTR-2 with DSC on Sandbox. Thanks,. CA Gaurav Doshi.

How can Advanced Sandboxing Techniques Thwart Elusive ...

Traditional sandboxes rely mostly on dynamic analysis—understanding how malware behaves within its environment by emulating and executing its binaries. Malware, ...