rule 920300 title / details mismatch #1751
Comments
|
User dune73 commented on date 2020-05-05 12:40:40: Thank yor for reporting owingruters. This rule is a troubling one, but you are facing a mis-understanding.
The full rule syntax is: Trigger an alert if no Accept Header unless it's an OPTIONS request coming from AppleWebKit or Android. Now the trouble: ModSecurity only reports the last rule match. This complex rule has 3 rules chained, so you only get the match against the UAs. I have now added more comments to this rule explaining the situation so the next user does not come to the same conclusion as you: SpiderLabs/owasp-modsecurity-crs#1753 However, you state you get a lot of false positives here. Would you mind sending us the audit-log of one of these requests, maybe the UA-List in the rule ought to be expanded. Feel free to attach here or open a separate issue. I will close this bug report in the meantime. |
Issue originally created by user owingruters on date 2020-05-04 10:14:49.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#1751.
I have a lot of positives for rule 920300 'Request Missing an Accept Header'.
The details are : 'Warning. Match of \'pm AppleWebKit Android\' against \'REQUEST_HEADERS:User-Agent\' required. '
The title of the rule and the details do not match. The first is about Accept-header, the latter about the User-agent header. 2 completely different things.
Also the user-agent 'pm AppleWebKit Android' is one that is not known in the market. Still, the number of records tells me that is is not an anomaly, but coming from opening a marketing email we send.
I use this rule in Azure Application Gateway and they do not allow me to specifically add an exclusion on this value of the User-Agent, only on the entire header.
The text was updated successfully, but these errors were encountered: