- Avis: Ce message est confidentiel et ne s'adresse qu'aux destinataires. Si vous le recevez par erreur, veuillez le supprimer et nous en aviser. - Hi,
I'm getting false positive with rules 981243, 981244 and 981248 (core rule set 2.2.2 and mod_security 2.6). Seems like the rule don't like "dIv" or "div" in the url. Is there a way to use SecRuleUpdateTargetById to handle this ? --37216702-B-- GET /uploads/tx_jcarousel/dIversite-culturelle-2_01.gif HTTP/1.1 Host: www.myhost.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en;q=0.5,en-us;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 DNT: 1 Connection: keep-alive Cookie: style=normal; user=678843ea0aa41; cookies=true Cache-Control: max-age=0 --37216702-F-- HTTP/1.1 403 Forbidden Accept-Ranges: bytes Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Content-Length: 576 Keep-Alive: timeout=15, max=97 Connection: Keep-Alive Content-Type: text/html --37216702-H-- Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:@.+=\\s*\\(\\s*select)|(?:\\d+\\s*x?or|div|like|between|and\\s*\\d+ \\s*[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and| select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))| (?:(?:;|#|--)\\s*(?:update|insert)\\s ..." at REQUEST_FILENAME. [file "/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "539"] [id "981248"] [msg "Detects chained SQL injection attempts 1/2"] [data "dIv"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] Connection: keep-alive Cookie: style=normal; user=678843ea0aa41; cookies=true Cache-Control: max-age=0 --37216702-F-- HTTP/1.1 403 Forbidden Accept-Ranges: bytes Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Content-Length: 576 Keep-Alive: timeout=15, max=97 Connection: Keep-Alive Content-Type: text/html --37216702-H-- Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:@.+=\\s*\\(\\s*select)|(?:\\d+\\s*x?or|div|like|between|and\\s*\\d+ \\s*[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and| select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))| (?:(?:;|#|--)\\s*(?:update|insert)\\s ..." at REQUEST_FILENAME. [file "/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "539"] [id "981248"] [msg "Detects chained SQL injection attempts 1/2"] [data "dIv"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] Claude
<<inline: 5A559535.jpg>>
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
