Hi Ken, We used to have ML problems, but it seems at least your message went through. Hopefully OWASP HQ has fixed it for good.
I confirm the FP here and can only add that 942200 has been set to PL2 for causing FPs from time to time. Franziska Bühler disassembled the regexes of the SQL rules, so you can take a better look at the sources behind the performance optimized regexes: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.1/dev/util/regexp-assemble/regexp-942200.data Maybe she can chime in here and add her thoughts on this rule. Best, Christian On Wed, Jan 10, 2018 at 11:23:48AM -0800, Ken Brucker wrote: > I've been looking at some false positives related to rule 942200. > > Side note, I'm running CRS 3.0.2 but the rules still have a version > 3.0.0 tag. I was surprised to see that. > Here's an exemplar from the audit file: > Message: Warning. Pattern match > "(?i:(?:,.*?[)\\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\\Z|[^\"'`]+))|(?:\\W > select.+\\W*?from)|((?:select|create|rename|truncate|load|alter|delete| > update|insert|desc)\\s*?\\(\\s*?space\\s*?\\())" at ARGS:data[]. [file > "/etc/httpd/modsecurity.d/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI > .conf"] [line "649"] [id "942200"] [rev "2"] [msg "Detects MySQL > comment-/space-obfuscated injections and backtick termination"] [data > "Matched Data: ,4947,4937,4935,4929,4463,4430,5905,5766,7878,7570\x22] > found within ARGS:data[]: [gallery columns=\x225\x22 > size=\x22medium\x22 > ids=\x224953,4947,4937,4935,4929,4463,4430,5905,5766,7878,7570\x22]"] > [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy > "8"] [tag "application-multi"] [tag "language-multi"] [tag > "platform-multi"] [tag "attack-sqli"] [tag > "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag > "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag > "paranoia-level/2"] > After looking at this rule a bit, it will trigger on a string like: > To quote William Shakespeare, "to be, or not to be". > The first alternative in the regex matches a very broad range of text > and seems far too general. Is this intentional? It looks like the > intent is to capture variations on quoted numbers but it's going above > and beyond. > > The rule: > > SecRule > REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAM > E > S|ARGS|XML:/* > "(?i:(?:,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\Z|[^\"'`]+))|(?: > \Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete > |update|i > nsert|desc)\s*?\(\s*?space\s*?\())" \ > "phase:request,\ > rev:'2',\ > ver:'OWASP_CRS/3.0.0',\ > maturity:'9',\ > accuracy:'8',\ > capture,\ > t:none,t:urlDecodeUni,\ > block,\ > msg:'Detects MySQL comment-/space-obfuscated injections and > backtick ter > mination',\ > id:942200,\ > tag:'application-multi',\ > tag:'language-multi',\ > tag:'platform-multi',\ > tag:'attack-sqli',\ > tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ > tag:'WASCTC/WASC-19',\ > tag:'OWASP_TOP_10/A1',\ > tag:'OWASP_AppSensor/CIE1',\ > tag:'PCI/6.5.2',\ > tag:'paranoia-level/2',\ > logdata:'Matched Data: %{TX.0} found within > %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ > severity:'CRITICAL',\ > setvar:'tx.msg=%{rule.msg}',\ > setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ > setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ > > setvar:'tx.%{[1]rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}= > %{tx.0}'" > > References > > 1. http://rule.id/ > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set