8000 Rule: 942190: False positive 0202 · Issue #2075 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Rule: 942190: False positive 0202 #2075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Shajinraj opened this issue May 17, 2021 · 6 comments · Fixed by #2078
Closed

Rule: 942190: False positive 0202 #2075

Shajinraj opened this issue May 17, 2021 · 6 comments · Fixed by #2078
Assignees
@azurit
Labels
➕ False Positive

Comments

@Shajinraj
Copy link

Description

[-:error] ModSecurity: Warning. Pattern match "(?i:(?:[\"'](?:;?\\\\s*?(?:having|select|union)\\\\b\\\\s*?[^\\\\s]|\\\\s*?!\\\\s*?[\\"'\\w])|(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\\\)]?|u(?:nion(?:[\\w(\\s]?select| select @)|ser\\s*?\\([^\\\\)]?)|s(?:chema\\s?\\([^\\\\)]?|elect.?\\w?user\\()|in ..." at ARGS:q. [file "../../../coreruleset-3.4-dev/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "200"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: User( found within ARGS:q: appUser(sitename,user)"] [severity "CRITICAL"] ["OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "*******************"]

Audit Logs / Triggered Rule Numbers

  • CRS version (e.g., v3.2.0):
  • Paranoia level setting: 1
  • ModSecurity version (e.g., 2.9.3):
  • Web Server and version (e.g., httpd 2.4.41):
  • Operating System and version: RHEL 7.9

Confirmation

[ ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

Hi Guys,

I am getting this false positive when I click a particular tab in my website. Could you please help me that this rule can be removed or we have any other fix?
@Shajinraj Shajinraj changed the title Rule: 942190: False positive #0202 Rule: 942190: False positive 0202 May 17, 2021
@azurit
Copy link
Member
azurit commented May 17, 2021

Hi @Shajinraj! Thanks for reporting this. Can you, please, post a full request log? You can enable logging in modsecurity.conf using SecAudit directives.

@azurit
Copy link
Member
azurit commented May 17, 2021

Ok, maybe it's not needed. If i'm looking correctly, this regexp from file regexp-942190.data is matching:
user\s*?\([^\)]*?

Maybe it can be rewritten into these two regexpes:

^user\s*?\([^\)]*?
[^a-z]user\s*?\([^\)]*?

@azurit azurit mentioned this issue May 17, 2021
Closed
@azurit azurit self-assigned this May 17, 2021
@azurit azurit mentioned this issue May 18, 2021
Merged
@Shajinraj
Copy link
Author

As we are new to OWASP CRS, Could you please help us that we can modify the regexp-942190.data and add the given fix or we need to add it an separate file as conf?

@azurit
Copy link
Member
azurit commented May 18, 2021

Edit file rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf, search for rule ID 942190 and change it's first line to this:

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\b(?:(?:c(?:onnection_id|urrent_user)|database)\s*?\([^\)]*?|u(?:nion(?:[\w(\s]*?select| select @)|ser\s*?\([^\)]*?)|s(?:chema\s*?\([^\)]*?|elect.*?\w?user\()|into[\s+]+(?:dump|out)file\s*?[\"'`]|from\W+information_schema\W|exec(?:ute)?\s+master\.)|[\"'`](?:;?\s*?(?:union\b\s*?(?:(?:distin|sele)ct|all)|having|select)\b\s*?[^\s]|\s*?!\s*?[\"'`\w])|\s*?exec(?:ute)?.*?\Wxp_cmdshell|\wii
8000
f\s*?\()" \

@dune73
Copy link
Member
dune73 commented May 18, 2021

Please be aware that changing a rule file will prevent you from upgrading to a future version of the rule set.

It's usually better to address false positives with a rule exclusion. This technique is explained at length at https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/

@dune73
Copy link
Member
dune73 commented May 18, 2021

Please be aware that changing a rule file will prevent you from upgrading to a future version of the rule set.

It's usually better to address false positives with a rule exclusion. This technique is explained at length at https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/

I'm closing this issue in favor of the pull request at #2078.

@dune73 dune73 closed this as completed May 18, 2021
@dune73 dune73 mentioned this issue Jun 21, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@azurit azurit

Labels
➕ False Positive
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adding word boundary to lower FPs
3 participants
@dune73 @azurit @Shajinraj
0