Rus, What CRS version are you using? This looks old as the newer versions are listed in the alert using the rev action. Also i believe the variable listing/targets for this rule were updated as it is missing ARGS.
Sent from my iPhone On Sep 22, 2010, at 7:56 PM, "Russell Clemings" <[email protected]> wrote: > I could use some help dealing with the following false positive (some > identifying details masked): > > 116818:[Tue Sep 21 22:52:43 2010] [error] [client XX.XX.XX.XX] ModSecurity: > Access denied with code 501 (phase 2). Pattern match > "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? > ..." at REQUEST_COOKIES:__utmz. [file > "/usr/local/apache/conf/modsec2.user.conf"] [line "149"] [id "959006"] [msg > "System Command Injection"] [data "/mail"] [severity "CRITICAL"] [tag > "WEB_ATTACK/COMMAND_INJECTION"] [hostname "xxx.xxx.xxx"] [uri > "/xxxx-xxxxx-xxxxxxxx"] [unique_id "TJlve0CDUIUAAHyD6SMAAAAL"] > > A couple of previous posts suggest that this is hitting on a Google Analytics > cookie (REQUEST_COOKIES:__utmz) that tracks where the user came from. It only > seems to affect a few users. I've commented out the rule, and that fixed the > immediate problem, but of course I would rather create a narrow exemption and > leave the rule intact otherwise. > > How would I do that? FWIW, this is a cPanel VPS so the exceptions have to go > in an unusual place (e.g. /usr/local/apache/conf/userdata/std/2/etc/etc/etc) > but I can handle that part. It's how to write the rule that confuses me. > > Here's the rule as it stands now: > > SecRule > REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES > \ > > "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" > \ > > "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System > Command > Injection',id:'959006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'" > > I probably should add that I'm functionally regex-illiterate, so please speak > slowly :) > > rac > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
