Hello,
I'm sorry to bring this up again, but my questions didn't get an answer, so I
still thing these rules to be prone to false positives.
As a new release of the rules is comming out soon, I though I should bring this
up for discussion again.
Shouldn't rules 950107, 950109 and 950108 be rewriten to be something more like
this: "\%[0-9a-fA-F]{2}(?![0-9a-fA-F])|\%u[0-9a-fA-F]{4}(?![0-9a-fA-F])"? Like
they are now, "%1" would match and, unless I missed the point on what the rules
should do, this would be a false positive, am I right?
Thanks and sorry for all the noise.
Luís Silva
Quoting "Luís Silva" <[email protected]>:
> Hello,
>
> On Wed, 2010-09-08 at 10:16 -0500, Ryan Barnett wrote:
>
>> On 9/8/10 10:44 AM, "Dirk Caspari" <[email protected]> wrote:
>>
>> > --411a3f76-B--
>> > GET /src/read_body.php?mailbox=INBOX&passed_id=81&startMessage=1 HTTP/1.1
>> > Host: xxx.xxxxxxxx.de
>> > User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.9.2.3)
>> > Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3
>> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> > Accept-Language: de-DE,de;q=0.8,de-de;q=0.6,en-us;q=0.4,en;q=0.2
>> > Accept-Encoding: gzip,deflate
>> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> > Keep-Alive: 115
>> > Connection: keep-alive
>> > Referer:
>> >
>> https://xxx.xxxxxxxxx.de/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1[1]
>> > &mailbox=INBOX
>> > Cookie: xxxxx
>> >
>> >
>> > --411a3f76-H--
>> > Message: Pattern match "\%(?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4}" at
>> > ARGS:passed_id. [file
>> >
>> "/etc/apache2/modsecurity/rules-enabled/modsecurity_crs_20_protocol_violations
>> > .conf"]
>> > [line "185"] [id "950109"] [rev "2.0.8"] [msg "Multiple URL Encoding
>> > Detected"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/EVASION"]
>> > Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score.
>> > [file
>> >
>> "/etc/apache2/modsecurity/rules-enabled/modsecurity_crs_60_correlation.conf"]
>> > [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=,
>> > XSS=): Multiple URL Encoding Detected !
>> > %{matched_var_name}=%{matched_var} !"]
>> >
>> > Thanks.
>> > D I R K
>> >
>> >
>> >
>>
>> Hmm.. Looks like the previous version in SVN was missing the parentheses in
>> the RegEx. Use this latest version -
>>
>> http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_r[2]
>> ules/modsecurity_crs_20_protocol_violations.conf?revision=1535
>>
>>
>
> The regular expression in rules 950107, 950109 and 950108 shouldn't
> instead be something like "\%[0-9a-fA-F]{2}(?![0-9a-fA-F])|\%
> u[0-9a-fA-F]{4}(?![0-9a-fA-F])"?
> The expression provided will still match for example "%1" and, unless I
> missed the point on what the rules should do, this would be a false
> positive.
>
>>
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> [email protected]
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set[3]
>>
>
> Thanks,
> Luís
>
Links:
------
[1]
https://xxx.xxxxxxxxx.de/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1
[2] http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_r
[3] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program._______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
