Modsecurity false positives encoding

victoria123

Registered
Mar 23, 2016
1
0
1
spain
cPanel Access Level
Root Administrator
Hello,
I have tried today to make the modsecurity work in my server, but I found that it was giving a huge amount of false positives.
First, most of them were because of rule 981257
I deactivated that rule, and then I found more and more false positives. This time rules 981204 and 981243

Just entering one inner page of a website the modsecurity blocks you.
It seems to be related with enconding.
This post seems to show the problem
non ascii characters causing false positives with different languages · Issue #21 · SpiderLabs/owasp-modsecurity-crs · GitHub

the websites are spanish websites, and it seems to be related with that.
As that post is a little old, I am not sure what I have to do to configure the modsec to change this configuration.

What do I have to do to avoid this problem? If you could tell me step by step how to do it, I would appreciate it. :)

Code:
981243 - detects classic sql injection probings 2/2
Pattern match "(?i:(?:[\"'`]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`]\\d)|(?:\\^[\"'`])|(?:^[\\w\\s\"'`-]+(?<=and\\s)(?<=or|xor|div|like|between|and\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:[\"'`][\\s\\d]*?[^\\w\\s]+\\W*?\\d\ ..." at REQUEST_COOKIES:ci_session.


981257 - Detects MySQL comment-/space-obfuscated injections and backtick termination

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\Z|[^\"'`]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())" "phase:request, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'8', capture, t:none,t:urlDecodeUni, block, msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination', id:'981257', tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', severity:'CRITICAL', setvar:'tx.msg=%{rule.msg}', setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
 
Last edited by a moderator:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
There is generally a period of customization for anyone using a rule set as big as the OWASP rules.

You will probably have to keep fine tuning and disabling rules that do not work for you. Usually once you "weed out" the few rules that block your legitimate activities you are in pretty good shape.

Unfortunately the OWASP rules are not "one size fits all." You have to take the time to turn off rules that cause you problems. This is why they are so hard to implement properly on a server that is already in production.