Can you try the SVN trunk version (v2.2.2)?
http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_
rules/modsecurity_crs_41_sql_injection_attacks.conf
I tried your complete transaction and the same category of check triggered
for a Cookie value -
[Fri Sep 02 12:41:07 2011] [error] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\
\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\
\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*){6,}" at
REQUEST_COOKIES:wp-settings-1. [file
"/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_41_sql_injectio
n_attacks.conf"] [line "521"] [id "981172"] [rev "2.2.2"] [msg "Restricted
SQL Character Anomaly Detection Alert - Total # of special characters
exceeded"] [data "=1"] [hostname "example.com"] [uri "/"] [unique_id
"TmEHIcCoqAEAALzcEnkAAAAI"
That wp-settings-1 cookie payload decodes to -
wp-settings-1=editor=tinymce&m4=o&m0=o&uploader=1
And the rule triggered on having a bunck of = and & chars in it.
-Ryan
On 9/2/11 10:27 AM, "Thomas D. Dahlmann" <[email protected]> wrote:
>Hi
>
>I've got the bellow shown exception when I try to hit my webmail site.
>
>What kind of "bad" characters is the rule complaining about in this
>request?
>
>
>--63235740-A--
>[02/Sep/2011:15:59:55 +0200] TmDhWX8AAQEAAClL2qkAAAAJ x.x.x.x 28681
>2.2.2.2 443
>--63235740-B--
>GET
>/?_task=mail&_remote=1&_action=list&_mbox=RoundCube&_page=1&_refresh=1&_=1
>314971993364&_unlock=loading1314971993363
>HTTP/1.1
>Host: example.com
>Connection: keep-alive
>Referer: https://example.com/
>X-Requested-With: XMLHttpRequest
>User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML,
>like Gecko) Chrome/13.0.782.215 Safari/535.1
>Accept: application/json, text/javascript, */*; q=0.01
>X-Roundcube-Request: b7aa8fc451317a76730a72f69fbb3e9e
>Accept-Encoding: gzip,deflate,sdch
>Accept-Language: en-US,en;q=0.8
>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
>Cookie: addressviewsplitter=250; prefsviewsplitter=195;
>identviewsplitter=300; mailviewsplitter=291; sieverulesviewsplitter=245;
>wp-settings-1=editor%3Dtinymce%26m4%3Do%26m0%3Do%26uploader%3D1;
>wp-settings-time-1=1308940613; mailviewsplitterv=165;
>roundcube_sessid=27cd4d0e05639619d9fa8684a6401300
>
>--63235740-F--
>HTTP/1.1 200 OK
>Expires: Fri, 02 Sep 2011 13:59:55 GMT
>Cache-Control: private, no-cache, must-revalidate, post-check=0,
>pre-check=0
>Pragma: no-cache
>Last-Modified: Fri, 02 Sep 2011 13:59:55 GMT
>X-DNS-Prefetch-Control: off
>Vary: Accept-Encoding
>Content-Encoding: gzip
>Content-Length: 1983
>Keep-Alive: timeout=15, max=91
>Connection: Keep-Alive
>Content-Type: text/plain; charset=UTF-8
>
>--63235740-H--
>Message: Operator GE matched 4 at TX:restricted_sqli_char_count. [file
>"/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_41_sql_injec
>tion_attacks.conf"]
>[line "551"] [id "981173"] [rev "2.2.1"] [msg "Restricted SQL Character
>Anomaly Detection Alert - Total # of special characters exceeded"] [data
>"4"]
>Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score.
>[file
>"/etc/apache2/modsecurity_crs/activated_rules/modsecurity_crs_60_correlati
>on.conf"]
>[line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound
>Score: 3, SQLi=5, XSS=): Restricted SQL Character Anomaly Detection
>Alert - Total # of special characters exceeded"]
>Stopwatch: 1314971993379011 2207359 (- - -)
>Stopwatch2: 1314971993379011 2207359; combined=125219, p1=1234,
>p2=123185, p3=109, p4=385, p5=303, sr=387, sw=3, l=0, gc=0
>Producer: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/);
>core ruleset/2.2.1.
>Server: Apache/2.2.14 (Ubuntu)
>
>--63235740-Z--
>
>
>/Thomas
>_______________________________________________
>Owasp-modsecurity-core-rule-set mailing list
>[email protected]
>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
