8000 False Positive with word Ping in 932115 · Issue #2135 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
8000

False Positive with word Ping in 932115 #2135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
franbuehler opened this issue Jun 22, 2021 · 4 comments
Closed

False Positive with word Ping in 932115 #2135

franbuehler opened this issue Jun 22, 2021 · 4 comments
Labels
➕ False Positive

Comments

@franbuehler
Copy link
Contributor
franbuehler commented Jun 22, 2021
edited
Loading

Description

Audit Logs / Triggered Rule Numbers

False Positive with \nPing Pong and &Ping Pong in RCE rule 932115.

[2021-06-21 09:42:54.229922] [-:error] 10.1.1.1:12345 xyz [client 10.1.1.2] ModSecurity: Warning. Pattern match "(?i)(?:;|\\\\{|\\\\||
\\\\|\\\\||&|&&|\\\\n|\\\\r|`)\\\\s*[\\\\(,@\\\\'\\"\\\\s]*(?:[\\\\w'\\"\\\\./]+/|[\\\\\\\\'\\"\\\\^]*\\\\w[\\\\\\\\'\\"\\\\^]*:.*\\\\\\\\|[\\\\^\\\\.\\\\w '\\"/\\\\\\\\]*\\\\\\\\)?
[\\"\\\\^]*(?:s[\\"\\\\^]*(?:y[\\"\\\\^]*s[\\"\\\\^]*(?:t[\\"\\\\^]*e[\\"\\\\^]*m[\\"\\\\^]*(?:p[\\"\\\\^]*r[\\"\\\\^]*o[\\"\\\\^]*p[\\"\\\\^]*e ..." at 
ARGS:myarg. [file "/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "294"] [id "932115"] [msg "Remote Command 
Execution: Windows Command Injection"] [data "Matched Data: \\x0d\\x0aPing found within ARGS:myarg: Fussball spielen\\x0d
\\x0aPing Pong"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-
windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] 
[hostname "x.ch"] [uri "/myuri"] [unique_id "xyz"]

https://regex101.com/r/YJwfiJ/1

Your Environment

  • CRS version (e.g., v3.2.0): 3.3.0
  • Paranoia level setting: 1
  • ModSecurity version (e.g., 2.9.3): 2.9.3

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
@dune73 dune73 mentioned this issue Jul 19, 2021
Closed
@dune73
Copy link
Member
dune73 commented Jul 19, 2021

The &Ping Pong does not trigger any rules for me. Yet &ping pong triggers 932150.

The link break brings the following:

$ curl localhost -d 'foo=           
Ping Pong'
932115 Remote Command Execution: Windows Command Injection

$ curl localhost -d 'foo=
ping pong'
932105 Remote Command Execution: Unix Command Injection
932115 Remote Command Execution: Windows Command Injection
932150 Remote Command Execution: Direct Unix Command Execution

The difference with lowercase is fairly striking. As is the number of rules bring triggered. I suggest to replace Ping Pong with table tennis. That fares a lot better from a FP perspective.

@dune73 dune73 mentioned this issue Aug 16, 2021
Closed
@dune73
Copy link
Member
dune73 commented Aug 16, 2021

Honestly, I do not really know what to do here outside of ignoring the problem. Any ideas?

@franbuehler
Copy link
Contributor Author

Yes, this problem may be too rare. We can close this issue here. I just wanted to report the problem but then didn't find the time to resolve it ;-)

@franbuehler
Copy link
Contributor Author
franbuehler commented Aug 16, 2021
edited
Loading

CRS issue chat meeting: we don't like a chained rule that excludes "ping pong".
In addition, this could potentially open a bypass.
We think we should leave this for quieter times.

@dune73 dune73 mentioned this issue Sep 19, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
➕ False Positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dune73 @franbuehler
0