Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Modsecurity false positives encoding

Discussion in 'Security' started by victoria123, Mar 23, 2016.

  1. victoria123

    victoria123 Registered

    Mar 23, 2016
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    I have tried today to make the modsecurity work in my server, but I found that it was giving a huge amount of false positives.
    First, most of them were because of rule 981257
    I deactivated that rule, and then I found more and more false positives. This time rules 981204 and 981243

    Just entering one inner page of a website the modsecurity blocks you.
    It seems to be related with enconding.
    This post seems to show the problem
    non ascii characters causing false positives with different languages · Issue #21 · SpiderLabs/owasp-modsecurity-crs · GitHub

    the websites are spanish websites, and it seems to be related with that.
    As that post is a little old, I am not sure what I have to do to configure the modsec to change this configuration.

    What do I have to do to avoid this problem? If you could tell me step by step how to do it, I would appreciate it. :)

    981243 - detects classic sql injection probings 2/2
    Pattern match "(?i:(?:[\"'`]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`]\\d)|(?:\\^[\"'`])|(?:^[\\w\\s\"'`-]+(?<=and\\s)(?<=or|xor|div|like|between|and\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:[\"'`][\\s\\d]*?[^\\w\\s]+\\W*?\\d\ ..." at REQUEST_COOKIES:ci_session.
    981257 - Detects MySQL comment-/space-obfuscated injections and backtick termination
    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\Z|[^\"'`]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())" "phase:request, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'8', capture, t:none,t:urlDecodeUni, block, msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination', id:'981257', tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', severity:'CRITICAL', setvar:'tx.msg=%{rule.msg}', setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:'tx.%{}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
    #1 victoria123, Mar 23, 2016
    Last edited by a moderator: Mar 23, 2016
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. quizknows

    quizknows Well-Known Member

    Oct 20, 2009
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    There is generally a period of customization for anyone using a rule set as big as the OWASP rules.

    You will probably have to keep fine tuning and disabling rules that do not work for you. Usually once you "weed out" the few rules that block your legitimate activities you are in pretty good shape.

    Unfortunately the OWASP rules are not "one size fits all." You have to take the time to turn off rules that cause you problems. This is why they are so hard to implement properly on a server that is already in production.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice