I could use some help dealing with the following false positive (some
identifying details masked):
116818:[Tue Sep 21 22:52:43 2010] [error] [client XX.XX.XX.XX] ModSecurity:
Access denied with code 501 (phase 2). Pattern match
"(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?
..." at REQUEST_COOKIES:__utmz. [file
"/usr/local/apache/conf/modsec2.user.conf"] [line "149"] [id "959006"] [msg
"System Command Injection"] [data "/mail"] [severity "CRITICAL"] [tag
"WEB_ATTACK/COMMAND_INJECTION"] [hostname "xxx.xxx.xxx"] [uri
"/xxxx-xxxxx-xxxxxxxx"] [unique_id "TJlve0CDUIUAAHyD6SMAAAAL"]
A couple of previous posts suggest that this is hitting on a Google
Analytics cookie (REQUEST_COOKIES:__utmz) that tracks where the user came
from. It only seems to affect a few users. I've commented out the rule, and
that fixed the immediate problem, but of course I would rather create a
narrow exemption and leave the rule intact otherwise.
How would I do that? FWIW, this is a cPanel VPS so the exceptions have to go
in an unusual place (e.g. /usr/local/apache/conf/userdata/std/2/etc/etc/etc)
but I can handle that part. It's how to write the rule that confuses me.
Here's the rule as it stands now:
SecRule
REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES
\
"(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))"
\
"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System
Command
Injection',id:'959006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
I probably should add that I'm functionally regex-illiterate, so please
speak slowly :)
rac
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
