Rule 932260 false positive with "scheduledAt" keyword #3288

thibauds · 2023-08-30T07:54:28Z

Description

Our web application needs to sort events, we have different sorts and one of them is against a scheduledAt field.

How to reproduce the misbehavior

curl https://sandbox.coreruleset.org/events?sortBy=scheduledAt

Your Environment

CRS version (e.g., v3.3.4): default from sandbox
Paranoia level setting (e.g. PL1) : PL1
ModSecurity version (e.g., 2.9.6): default from sandbox
Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): default from sandbox
Operating System and version: default from sandbox

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

Blocked by #3276

The text was updated successfully, but these errors were encountered:

airween · 2023-08-30T10:15:26Z

Hi @thibauds!

Thanks for your report. First, could you clarify your description? I mean you wrote:

CRS version (e.g., v3.3.4): default from sandbox

but it seems that Sandbox uses 4.0.0 without any argument (I checked your command above).

    "error_messages": [
      "[file \"apache2_util.c\"] [line 271] [level 3] [client 172.18.0.14] ModSecurity: Warning. Match of \"rx [0-9]\\\\\\\\\\\\\\\\s*\\\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\\s*[0-9]\" against \"MATCHED_VAR\" required. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"472\"] [id \"932260\"] [msg \"Remote Command Execution: Direct Unix Command Execution\"] [data \"Matched Data: sched found within MATCHED_VAR: scheduledAt\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/248/88\"] [tag \"PCI/6.5.2\"] [hostname \"localhost\"] [uri \"/events\"] [unique_id \"ZO8ScQS8FF8G3PGJJ9tHHQAAAIE\"]",
      "[file \"apache2_util.c\"] [line 271] [level 3] [client 172.18.0.14] ModSecurity: Warning. Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"186\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [tag \"modsecurity\"] [tag \"anomaly-evaluation\"] [hostname \"localhost\"] [uri \"/events\"] [unique_id \"ZO8ScQS8FF8G3PGJJ9tHHQAAAIE\"]",
      "[file \"apache2_util.c\"] [line 271] [level 3] [client 172.18.0.14] ModSecurity: Warning. Unconditional match in SecAction. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"96\"] [id \"980170\"] [msg \"Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [tag \"modsecurity\"] [tag \"reporting\"] [hostname \"localhost\"] [uri \"/events\"] [unique_id \"ZO8ScQS8FF8G3PGJJ9tHHQAAAIE\"]"
    ],

If you want to see only the triggered rules, you should use this command:

curl -H "x-format-output: txt-matched-rules" https://sandbox.coreruleset.org/events?sortBy=scheduledAt

This gives less details:

932260 PL1 Remote Command Execution: Direct Unix Command Execution
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)

The triggered rule is 932260, which exists only in 4.0, but not in 3.3.

As you can see in the rule's comment, the regexp was generated by crs-toolchain and the rule's regex file. This file includes several files, eg. unix-shell-4andup-with-params.ra, which contains the sched pattern. This is the cause.

We can check whether this is really a false positive or whether it is at this PL (PL1), but I'm afraid the solution now is that you make an exclusion against this rule (or against the rule and the affected target).

Let me know if I can help you that.

dune73 · 2023-08-30T12:08:58Z

If foo=scheduleAt leads to an FP in 932260 PL1, we may want to discuss this before CRSv4 hits the street.

thibauds · 2023-08-30T13:14:40Z

@airween I am sorry for the confusion about the version and my expectations.
Let me clarify:

You are right the version is 4.0.0.
I was not looking for a solution, I just wanted to raise attention (I was reading this blog post which recommends to report false positive on a PL 1 system). I am not knowledgeable enough to decide if this rule is acceptable or not, you can close this issue if you think that it is.

Thanks for your help and your great work.

RedXanadu · 2023-09-04T17:04:56Z

It appears that several plain English words are caught at PL 1 by rule 932260, including

bash
curl
shell
strings
unzip

$ curl https://sandbox.coreruleset.org/?word=strings -H 'x-format-output: txt-matched-rules'
932260 PL1 Remote Command Execution: Direct Unix Command Execution

I can understand how a judgement call might be made to live with FPs on bash, curl, and shell, as those seem like obvious targets. But strings and unzip I'm less sure about.

theseion · 2023-09-04T19:02:07Z

As discussed in the meeting, any PR for this issue should wait until #3276 has been merged.

theseion · 2023-09-04T19:07:07Z

The idea is to solve this by adding English words in the command list (generated) to the "FP" list used by the rule.

RedXanadu · 2023-09-08T15:21:02Z

Note to self: waiting on #3276. Check again on Monday.

#3276 is still open. Check again next Monday.

(2023-09-18) #3276 is still open but nearly complete. Check again next Monday.

dune73 · 2023-09-12T13:55:36Z

We're getting there with #3276.

theseion · 2023-09-21T05:00:59Z

#3276.

See also #3189, which should fix the issue for user agents.

RedXanadu · 2023-09-21T08:48:29Z

@theseion So is this issue dependent on / blocked by #3189? Do I need to also wait for that to be completed? Or are those changes separate / will not conflict?

theseion · 2023-09-21T08:51:31Z

No, it’s not dependent. I just pointed it out because it’s related.

…

-- Sent from Canary (https://canarymail.io)

On Thursday, Sep 21, 2023 at 10:48 AM, Andrew Howe ***@***.*** ***@***.***)> wrote: @theseion (https://github.com/theseion) So is this issue dependent on / blocked by #3189 (#3189)? Do I need to also wait for that to be completed? — Reply to this email directly, view it on GitHub (#3288 (comment)), or unsubscribe (https://github.com/notifications/unsubscribe-auth/AAB5GV5BJAOCZHHUVY45EUDX3P5ORANCNFSM6AAAAAA4EC5FXU). You are receiving this because you were mentioned.Message ID: ***@***.***>

RedXanadu · 2023-09-25T12:43:51Z

'eval' and 'sched' now added to the Unix rules PL 1 exclusion/FP list.

Fixed in #3320.

thibauds added the ➕ False Positive label Aug 30, 2023

dune73 mentioned this issue Sep 4, 2023

Monthly Chat Agenda September 2023 (2023-09-04 and 2023-09-18) #3279

Closed

RedXanadu self-assigned this Sep 4, 2023

RedXanadu mentioned this issue Sep 11, 2023

feat: add dependency checks to PRs and issues #3298

Merged

theseion added the v4 Should go into release v4 label Sep 19, 2023

RedXanadu mentioned this issue Sep 25, 2023

fix: Fix fps 932260 #3320

Merged

RedXanadu added the PR available this issue is referenced by an active pull request label Sep 25, 2023

dune73 closed this as completed in #3320 Sep 26, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Rule 932260 false positive with "scheduledAt" keyword #3288

Rule 932260 false positive with "scheduledAt" keyword #3288

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Rule 932260 false positive with "scheduledAt" keyword #3288

Rule 932260 false positive with "scheduledAt" keyword #3288

Comments

Uh oh!

Description

How to reproduce the misbehavior

Your Environment

Confirmation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!