Right, there is a low chance of false negatives for SQLi attack against REQUEST_FILENAME. We will remove it from the TARGET list in the next rev. In the meantime, I would add in a SecRuleUpdateTargetById directive to exclude it.
SecRuleUpdateTargetById 981243 !REQUEST_FILENAME SecRuleUpdateTargetById 981244 !REQUEST_FILENAME SecRuleUpdateTargetById 981248 !REQUEST_FILENAME -Ryan From: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wed, 12 Oct 2011 15:41:59 -0500 To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [Owasp-modsecurity-core-rule-set] false positive with rules 981243, 981244 and 981248 [cid:[email protected]] - Avis: Ce message est confidentiel et ne s'adresse qu'aux destinataires. Si vous le recevez par erreur, veuillez le supprimer et nous en aviser. - Hi, I'm getting false positive with rules 981243, 981244 and 981248 (core rule set 2.2.2 and mod_security 2.6). Seems like the rule don't like "dIv" or "div" in the url. Is there a way to use SecRuleUpdateTargetById to handle this ? --37216702-B-- GET /uploads/tx_jcarousel/dIversite-culturelle-2_01.gif HTTP/1.1 Host: www.myhost.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en;q=0.5,en-us;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 DNT: 1 Connection: keep-alive Cookie: style=normal; user=678843ea0aa41; cookies=true Cache-Control: max-age=0 --37216702-F-- HTTP/1.1 403 Forbidden Accept-Ranges: bytes Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Content-Length: 576 Keep-Alive: timeout=15, max=97 Connection: Keep-Alive Content-Type: text/html --37216702-H-- Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:@.+=\\s*\\(\\s*select)|(?:\\d+\\s*x?or|div|like|between|and\\s*\\d+\\s*[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|(?:(?:;|#|--)\\s*(?:update|insert)\\s ..." at REQUEST_FILENAME. [file "/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "539"] [id "981248"] [msg "Detects chained SQL injection attempts 1/2"] [data "dIv"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] Connection: keep-alive Cookie: style=normal; user=678843ea0aa41; cookies=true Cache-Control: max-age=0 --37216702-F-- HTTP/1.1 403 Forbidden Accept-Ranges: bytes Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Content-Length: 576 Keep-Alive: timeout=15, max=97 Connection: Keep-Alive Content-Type: text/html --37216702-H-- Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:@.+=\\s*\\(\\s*select)|(?:\\d+\\s*x?or|div|like|between|and\\s*\\d+\\s*[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|(?:(?:;|#|--)\\s*(?:update|insert)\\s ..." at REQUEST_FILENAME. [file "/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "539"] [id "981248"] [msg "Detects chained SQL injection attempts 1/2"] [data "dIv"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] Claude ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
<<inline: 5A559535.jpg>>
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
