Hi, I'm having some false positives with the new CRS 2.2.1. Here are some logs:
GET /reqmateriais/ HTTP/1.1 Host: XXXXX User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-br,pt;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Cookie: __utma=215133587.906900060.1258122835.1305748093.1306927020.10; __utma=180012320.689559656.1270058189.1309899918.1309951864.43; __utmz=215133587.1306927020.10.4.utmcsr=host.example.org|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmz=180012320.1302032343.35.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ys-ext-gen6-layout-state=o%3Anorth%3Do%253Asize%253Dn%25253A52%5Esouth%3Do%253A%253Ds%25253Aundefined%5Eeast%3Do%253A%253Ds%25253Aundefined%5Ewest%3Do%253A%253Ds%25253Aundefined; csrftoken=3beb5b824cd173465e11c2af83a57a30; sessionid=6f57dc8eb71f6dca873c6cc93dcd9ff2; __acXXX=ZW1zYXJ0b3I6ZW1zYXJ0b3I%3D Via: 1.1 host.example.org (squid) X-Forwarded-For: X.X.X.X Cache-Control: max-age=259200 Connection: keep-alive --7782a473-F-- HTTP/1.1 403 Forbidden Vary: accept-language,accept-charset,Accept-Encoding Accept-Ranges: bytes Content-Encoding: gzip Content-Length: 743 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Content-Language: pt-br --7782a473-H-- Message: Rule 1fb5e18 [id "950901"][file "/conf/modsecurity/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "59"] - Execution error - *PCRE limits exceeded* (-8): (null). Message: Access denied with code 403 (phase 2). Pattern match "(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*)?([\\d\\w]+)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*)?(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*)?\\2|([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\ ..." at REQUEST_COOKIES:ys-ext-gen6-layout-state. [file "/conf/modsecurity/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "59"] [id "950901"] [rev "2.2.1"] [msg "SQL Injection Attack"] [*data "253A52^south*"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] Action: Intercepted (phase 2) Apache-Handler: type-map Stopwatch: 1311269736484515 8520 (- - -) Stopwatch2: 1311269736484515 8520; combined=6960, p1=347, p2=6586, p3=0, p4=0, p5=26, sr=93, sw=1, l=0, gc=0 Producer: ModSecurity for Apache/2.6.1-rc1 (http://www.modsecurity.org/); core ruleset/2.2.0; core ruleset/2.2.0. Server: Apache/2.2.18 (Unix) mod_ssl/2.2.18 OpenSSL/0.9.8e-fips-rhel5 -- Jeronimo Zucco http://jczucco.blogspot.com
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
