Rules 941100/941120/942100 blocks randomly generated Cookie #1828
Assignees
Labels
Comments
|
Decision of the chat in July 2020: Close this issue, open anew with the idea to move closer to 941120 ("I think we can probably salvage 941120 by only firing on onXXX with 3-22 X characters… onget seems to be the shortest one, onmozorientationchange the longest one") |
|
Hi @boindil. Thank you for reporting and sorry for the inconvenience. The rules 941100 and 942100 are using the libinjection operator that is directly based on the libinjection library that we have no handle over. So we can not help you there. But after discussing the problem, I have sharpened the rule 941120 to avoid the FPs you encountered in Pull Request #1872. Closing this in favor of #1872. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Rules 941100/941120/942100 blocks randomly generated Cookie
Description
Rule 941120 detects anomaly within our random X-XSRF-TOKEN cookie. This only happens sometimes, but of course shall never happen to any client.
941100
[Mon Jun 29 10:44:50.610788 2020] [:error] [pid 24760:tid 140637756188416] [client IP:49010] [client IP] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "HOST"] [uri "/myuri"] [unique_id "XvmqAr@R3iXlKc4UtFUjCAAAALg"]
[Mon Jun 29 10:44:50.609205 2020] [:error] [pid 24760:tid 140637756188416] [client IP:49010] [client IP] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "59"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within REQUEST_COOKIES:XSRF-TOKEN: OnenjaxCqwGMapOEgavWPFJKttPYV2VOUZN1twRGGwifnDpj1-wd6ys1buyiFd12MUFWJDtoEuQYwrsHe_DTciDwkGhOH_2F4SXGJBgnoN9bSla9h2DAG3SRIygyrueAB6lnticwWGvLvO1ficrcPTlk0j-k5ykklfGMjZLLAx7R4sAk9DldrTZxjZ7CwxBQ3jFYHzNzMBdi1gzPiLEGrOiQgwjSJFy8HsCMQqpfLWWRTE6HDwssEtF5sRplFW4O0AJDdU-cz_Xcv_gFLig6TvfZzKye6mr_GykyotnKPEuINL0K6ZxNlYO2nnc3Kw7p5uTfXBXpmMUJO0lir91vLw=="] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "HOST"] [uri "/myuri"] [unique_id "XvmqAr@R3iXlKc4UtFUjCAAAALg"]
941120
[Fri Jun 26 20:12:42.492551 2020] [:error] [pid 30994:tid 140638704105216] [client IP:47712] [client IP] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "HOST"] [uri "/myuri"] [unique_id "XvY6miqQRcqsQd5GKO2fAQAAADA"]
[Fri Jun 26 20:12:42.491091 2020] [:error] [pid 30994:tid 140638704105216] [client IP:47712] [client IP] ModSecurity: Warning. Pattern match "(?i)[\\s\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]+on[a-zA-Z]+[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=" at REQUEST_COOKIES:XSRF-TOKEN. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "120"] [id "941120"] [msg "XSS Filter - Category 2: Event Handler Vector"] [data "Matched Data: 3OnBw= found within REQUEST_COOKIES:XSRF-TOKEN: QBh81j814RcSXCJSHFbyZwy5tWg7mZaUc7SvTBsaFKMRTFEtBPwSgVSRXJbW7LQbwcjk44lCEFpei3j0bU3AXUZJTi5ffox5KbWojQ5uoToJ8lcGeIk78TCIGojpENwa73dj4IMSAdfd9GKb01ZSF0mANLHMn7SVmo14qsgSl9-GlBh-EzOf0auf9WAsflUBQ5AVNepwmYEVgIUXIjYhqHq1JZjP4jnO93_Gsbs2QGy57NMwFkGhNABidr_O9R94hgK5DOqvWhuA1VCT4gzZSWOALf9lTGn159jX_-L8EHs6HMv7WGJrZIYCbsy9V2mLo7NStGcKFdY-shHoE3OnBw=="] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSens [hostname "HOST"] [uri "/myuri"] [unique_id "XvY6miqQRcqsQd5GKO2fAQAAADA"]
[Fri Jun 26 20:13:14.173518 2020] [:error] [pid 31198:tid 140638813144832] [client IP:0] [client IP] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "HOST"] [uri "/myuri"] [unique_id "XvY6ugkrdPLz@OCjaWusAQAAAOw"]
[Fri Jun 26 20:13:14.172022 2020] [:error] [pid 31198:tid 140638813144832] [client IP:0] [client IP] ModSecurity: Warning. Pattern match "(?i)[\\s\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]+on[a-zA-Z]+[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=" at REQUEST_COOKIES:XSRF-TOKEN. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "120"] [id "941120"] [msg "XSS Filter - Category 2: Event Handler Vector"] [data "Matched Data: 1oNQ= found within REQUEST_COOKIES:XSRF-TOKEN: XozC2J-_rop1RDf-vBfz3kcK31fJ0ami3STF_e4bo530tTKFhunU10ExdhCrIADzJY63ssPZnw2FOymJE88vFJJO7ix9koL9E6H5p72Ha5Uk1MoJJ4vtsGiisvcJuox_nnqyNWgWEx-Qtu-b7pnckZ36M4rS7_PcqRY57pcMjd4ucmwkOLC-rwjIYo7DoA-SeR6Yvz7nq_v4GnueWA7ssoZbIMzpwidtORf3yuSmgXu-fnbW5G1nVCcdd756UC_SdchPqq7S1O3ZdXeJwR6mQb7xOdRB7V_xSnBZ63kY_N8f9P4Fba6ltQ72OiOkxL9pF2TLXay1rKkpQgyw-l1oNQ=="] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSenso [hostname "HOST"] [uri "/myuri"] [unique_id "XvY6ugkrdPLz@OCjaWusAQAAAOw"]
942100
[Mon Jun 29 17:07:53.930949 2020] [:error] [pid 8901:tid 140657581741824] [client IP:0] [client IP] ModSecurity: Warning. detected SQLi using libinjection with fingerprint '1c' [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "67"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1c found within REQUEST_COOKIES:XSRF-TOKEN: 7--2cS_9yLB0HYRzqL3tVn2FKR4xJKp71JBTl2WUF9QN1m33ZTlGnlqb5NojmaZYJZLIVFYhB-At_7fFYkzYsHUgXr-RgKUt8H1G8UJfnVzQQ_58QKr8Y3K0QHbJ9KvAQYa6U7SifG83hbsYc69YYEnxu2tU9Okmss9H5G1SSKLBQTWBKflOyv1lQFqdUAI8836Paw3hv0x9F7-fnggnKWKKEkeyxMWtGjiAljaYJHRxf_Vvosac4Pevg7h0oGbbr5_NxMLuo2kZtiFxhIm-nzTh69WDsyKN0Ki3UUywY4raEedOEqPovBneTtGBv7NeAh1WwYP-roXKUzuZEzquZg%3D%3D"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "HOST"] [uri "/myuri"] [unique_id "XvoDydQjuT5zzqUb-4M5CgAAAsA"]
Audit Logs / Triggered Rule Numbers
Rules triggered:
Your Environment
Confirmation
[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: