The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Modsecurity false positives encoding

Discussion in 'Security' started by victoria123, Mar 23, 2016.

  1. victoria123

    victoria123 Registered

    Joined:
    Mar 23, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    spain
    cPanel Access Level:
    Root Administrator
    Hello,
    I have tried today to make the modsecurity work in my server, but I found that it was giving a huge amount of false positives.
    First, most of them were because of rule 981257
    I deactivated that rule, and then I found more and more false positives. This time rules 981204 and 981243

    Just entering one inner page of a website the modsecurity blocks you.
    It seems to be related with enconding.
    This post seems to show the problem
    non ascii characters causing false positives with different languages · Issue #21 · SpiderLabs/owasp-modsecurity-crs · GitHub

    the websites are spanish websites, and it seems to be related with that.
    As that post is a little old, I am not sure what I have to do to configure the modsec to change this configuration.

    What do I have to do to avoid this problem? If you could tell me step by step how to do it, I would appreciate it. :)

    Code:
    981243 - detects classic sql injection probings 2/2
    Pattern match "(?i:(?:[\"'`]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`]\\d)|(?:\\^[\"'`])|(?:^[\\w\\s\"'`-]+(?<=and\\s)(?<=or|xor|div|like|between|and\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:[\"'`][\\s\\d]*?[^\\w\\s]+\\W*?\\d\ ..." at REQUEST_COOKIES:ci_session.
    
    
    981257 - Detects MySQL comment-/space-obfuscated injections and backtick termination
    
    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\Z|[^\"'`]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())" "phase:request, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'8', capture, t:none,t:urlDecodeUni, block, msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination', id:'981257', tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', severity:'CRITICAL', setvar:'tx.msg=%{rule.msg}', setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
    
    
     
    #1 victoria123, Mar 23, 2016
    Last edited by a moderator: Mar 23, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    There is generally a period of customization for anyone using a rule set as big as the OWASP rules.

    You will probably have to keep fine tuning and disabling rules that do not work for you. Usually once you "weed out" the few rules that block your legitimate activities you are in pretty good shape.

    Unfortunately the OWASP rules are not "one size fits all." You have to take the time to turn off rules that cause you problems. This is why they are so hard to implement properly on a server that is already in production.
     
Loading...

Share This Page