Rule Id: 932150 false positive on time keyword #2044
Comments
|
Hi @noneisland Did you see my comment in #2047 (comment)?? |
|
We talked about this in the April issue chat. Here is our conclusion: @flo405 has a plan how to solve this plus some additional bypasses. He will coordinate with @franbuehler who self-assigned. |
|
Hi @franbuehler Thank you for your reply. I understand that we can fix it by modifying the regex, is there a guide how you build and test the change? |
|
In order to modify the regexp, it is the same procedure that I described in #2071 (comment). After changing the source patterns, the compressed regexp has to be built. I'm not exactly up to date on the proposed change but will be very interested to hear more. |
|
Hi @noneisland Do you have any updates here? |
|
Or does @flo405 have any updates? |
|
We talked about this issue at our recent project meeting. Decision: We have not heard from @flo405 anymore, so it's likely we have to start over from scratch ourselves. @franbuehler and @lifeforms agreed to take this on. |
I'm willing to help. But I am not sure how to build and test the changes. Instructions on how to build the changes from scratch will help. |
|
Thank you @noneisland. You'll hear from @franbuehler or @lifeforms soon. |
|
We'll not so soon it seems. But this is not forgotten. |
|
I tried an approach which was not fruitful and I have to dig into it more. Thanks for your patience. |
|
Any update here @lifeforms? |
|
I like @lifeforms idea in the linked issue #2166:
So I went through all the RCE rule files and found some rules that we could enhance with a prefix PL1: Would this be a possible way to go?? |
|
This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days |
|
This is not completed and we need to fix this. |
|
I'll update the following rules (see my comment above)
Windows:
|
Description
Request "/api/v1/query?q=time+warner", "GET", "1.1" returned 403.
Rule Id: 932150 phase: 2
Rx' with parameter(?:^|=)\s*(?:{|\s*(\s*|\w+=(?:[^\s]|$.|$.|<.|>.|'.'|".")\s+|!\s|$)\s(?:'|")(?:[?*[]()-|+\w'"./\\]+/)?[\\'"](?:l[\\'"](?:s(?:[\\'"](?:b[\\'"]*_[\\'"]*r (6252 characters omitted)' against variableARGS:q' (Value:time warner' ) [file "/opt/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "444"] [id "932150"] [rev ""] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: time found within ARGS:q: time warner"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname ""] [uri "/api/v1/query"] [unique_id "161670536857.434291"] [ref "o0,5v20,11"]Log: [client ] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator
Ge' with parameter5' against variableTX:ANOMALY_SCORE' (Value:5' ) [file "/opt/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "138"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname ""] [uri "/api/v1/query"] [unique_id "161670536857.434291"] [ref ""]Intervention, returning code: 403
Your Environment
Confirmation
[x ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: