I've been looking at some false positives related to rule 942200.
Side note, I'm running CRS 3.0.2 but the rules still have a version 3.0.0 tag.
I was surprised to see that.
Here's an exemplar from the audit file:
Message: Warning. Pattern match
"(?i:(?:,.*?[)\\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\\Z|[^\"'`]+))|(?:\\Wselect.+\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?\\(\\s*?space\\s*?\\())"
at ARGS:data[]. [file
"/etc/httpd/modsecurity.d/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
[line "649"] [id "942200"] [rev "2"] [msg "Detects MySQL
comment-/space-obfuscated injections and backtick termination"] [data "Matched
Data: ,4947,4937,4935,4929,4463,4430,5905,5766,7878,7570\x22] found within
ARGS:data[]: [gallery columns=\x225\x22 size=\x22medium\x22
ids=\x224953,4947,4937,4935,4929,4463,4430,5905,5766,7878,7570\x22]"] [severity
"CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag
"application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
"attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag
"PCI/6.5.2"] [tag "paranoia-level/2"]
After looking at this rule a bit, it will trigger on a string like:
To quote William Shakespeare, "to be, or not to be".
The first alternative in the regex matches a very broad range of text and seems
far too general. Is this intentional? It looks like the intent is to capture
variations on quoted numbers but it's going above and beyond.
The rule:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
S|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\Z|[^\"'`]+))|(?:
\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|i
nsert|desc)\s*?\(\s*?space\s*?\())" \
"phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'8',\
capture,\
t:none,t:urlDecodeUni,\
block,\
msg:'Detects MySQL comment-/space-obfuscated injections and backtick ter
mination',\
id:942200,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}:
%{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set