Sandbox is wrong about in which PL a payload would be detected. #2450

mirkodziadzka-avi · 2022-03-25T15:31:21Z

Describe the bug

More a minor / cosmetic problem.

Sending a request against the sandbox with

#!/usr/bin/env python3

import json
import requests

URL = "https://sandbox.coreruleset.org/"

message = {}

headers = {
    "X-Backend": "nginx",
    "X-CRS-Paranoia-Level": "2",
    "X-Format-Output": "txt-matched-rules-extended",
}
response = requests.get(URL, headers=headers)
print(response.text)

results in

This payload has been tested against the OWASP ModSecurity Core Rule Set 
web application firewall. The test was executed using the nginx engine and CRS version 3.3.2.

The payload is being detected by triggering the following rules:

913101 PL2 Found User-Agent associated with scripting/generic HTTP client
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)

CRS therefore detects this payload starting with paranoia level 1.

I think the last sentence is wrong.

While there is a PL1 rule in the log, it is only the anomaly score rule.
The rule which detects the payload is only in paranoia level 2.
So in PL1, the payload would not be detected.

The text was updated successfully, but these errors were encountered:

franbuehler · 2022-03-25T15:45:49Z

Thank you for your report.
I can confirm that the blocking rule is shown at PL1.
The response therefore incorrectly shows that the request is blocked starting with PL1.
We will check that.

github-actions · 2022-07-25T02:11:49Z

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

fzipi · 2022-07-27T14:34:10Z

@mirkodziadzka-avi From what I see in the code, this depends on parsing the result of rules 980XXX and nginx is not logging those.

fzipi · 2022-07-27T14:38:00Z

You can see the difference using:

curl -H 'x-crs-paranoia-level: 2' -H "x-backend: apache" -H 'User-Agent: python-requests/1.2' https://sandbox.coreruleset.org/get
curl -H 'x-crs-paranoia-level: 2' -H "x-backend: nginx" -H 'User-Agent: python-requests/1.2' https://sandbox.coreruleset.org/get

Those are the actual json logs from modsec 🤷

mirkodziadzka-avi · 2022-07-27T14:56:59Z

@fzip I do not understand your comment. Even with apache, the log is

$ curl -H 'x-crs-paranoia-level: 2' -H "x-backend: apache" -H "X-Format-Output: txt-matched-rules-extended" -H 'User-Agent: python-requests/1.2' https://sandbox.coreruleset.org/get
This payload has been tested against the OWASP ModSecurity Core Rule Set 
web application firewall. The test was executed using the apache engine and CRS version nightly.

The payload is being detected by triggering the following rules:

913101 PL2 Found User-Agent associated with scripting/generic HTTP client
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980130 PL1 Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 0, 5, 0, 0


CRS therefore detects this payload starting with paranoia level 1.

where the last line is wrong. CRS would not detect this payload in PL 1 which can be seen by

$ curl -H 'x-crs-paranoia-level: 1' -H "x-backend: apache" -H "X-Format-Output: txt-matched-rules-extended" -H 'User-Agent: python-requests/1.2' https://sandbox.coreruleset.org/get
This payload has been tested against the OWASP ModSecurity Core Rule Set 
web application firewall. The test was executed using the apache engine and CRS version nightly.

No rules matched.

I agree, that this is a cosmetic problem (as mentioned in the first line of the ticket description)

fzipi · 2022-07-27T15:21:25Z

Well, let me try to find out if that can be solved. From the comment on the txt-output, I thought the only way of getting it was from the 98XX rules.

mirkodziadzka-avi · 2022-07-27T16:49:17Z

But even with 98xxxx in the apache case, it should parse the "0, 5, 0, 0" as PL2, right:

980130 PL1 Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 0, 5, 0, 0

fzipi · 2022-07-27T19:48:05Z

Yes, but there is only one function for everything.

fzipi · 2022-07-28T11:43:04Z

@mirkodziadzka-avi, can you retest now?

mirkodziadzka-avi · 2022-07-28T12:22:19Z

@fzipi Seems to work fine and as expected. Thank You.

fzipi · 2022-07-28T12:38:43Z

Thanks for filing this! Closing now.

fzipi added the sandbox Sandbox related problems label Mar 26, 2022

franbuehler mentioned this issue Mar 28, 2022

Monthly Chat Agenda April 2022 (2022-04-04 and 2022-04-18) #2453

Closed

franbuehler mentioned this issue Apr 25, 2022

Monthly Chat Agenda May 2022 (2022-05-02 and 2022-05-16) #2503

Closed

github-actions bot added the ⌛ Stale issue This issue has been open 120 days with no activity. label Jul 25, 2022

github-actions bot removed the ⌛ Stale issue This issue has been open 120 days with no activity. label Jul 28, 2022

fzipi closed this as completed Jul 28, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Sandbox is wrong about in which PL a payload would be detected. #2450

Sandbox is wrong about in which PL a payload would be detected. #2450

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Sandbox is wrong about in which PL a payload would be detected. #2450

Sandbox is wrong about in which PL a payload would be detected. #2450

Comments

Describe the bug

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!