Ken Brucker
2018-01-10 19:23:48 UTC
I've been looking at some false positives related to rule 942200.
Side note, I'm running CRS 3.0.2 but the rules still have a version 3.0.0 tag. I was surprised to see that.
Here's an exemplar from the audit file:
Message: Warning. Pattern match "(?i:(?:,.*?[)\\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\\Z|[^\"'`]+))|(?:\\Wselect.+\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?\\(\\s*?space\\s*?\\())" at ARGS:data[]. [file "/etc/httpd/modsecurity.d/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "649"] [id "942200"] [rev "2"] [msg "Detects MySQL comment-/space-obfuscated injections and backtick termination"] [data "Matched Data: ,4947,4937,4935,4929,4463,4430,5905,5766,7878,7570\x22] found within ARGS:data[]: [gallery columns=\x225\x22 size=\x22medium\x22 ids=\x224953,4947,4937,4935,4929,4463,4430,5905,5766,7878,7570\x22]"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"]
After looking at this rule a bit, it will trigger on a string like:
To quote William Shakespeare, "to be, or not to be".
The first alternative in the regex matches a very broad range of text and seems far too general. Is this intentional? It looks like the intent is to capture variations on quoted numbers but it's going above and beyond.
The rule:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
S|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\Z|[^\"'`]+))|(?:
\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|i
nsert|desc)\s*?\(\s*?space\s*?\())" \
"phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'8',\
capture,\
t:none,t:urlDecodeUni,\
block,\
msg:'Detects MySQL comment-/space-obfuscated injections and backtick ter
mination',\
id:942200,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Side note, I'm running CRS 3.0.2 but the rules still have a version 3.0.0 tag. I was surprised to see that.
Here's an exemplar from the audit file:
Message: Warning. Pattern match "(?i:(?:,.*?[)\\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\\Z|[^\"'`]+))|(?:\\Wselect.+\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?\\(\\s*?space\\s*?\\())" at ARGS:data[]. [file "/etc/httpd/modsecurity.d/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "649"] [id "942200"] [rev "2"] [msg "Detects MySQL comment-/space-obfuscated injections and backtick termination"] [data "Matched Data: ,4947,4937,4935,4929,4463,4430,5905,5766,7878,7570\x22] found within ARGS:data[]: [gallery columns=\x225\x22 size=\x22medium\x22 ids=\x224953,4947,4937,4935,4929,4463,4430,5905,5766,7878,7570\x22]"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"]
After looking at this rule a bit, it will trigger on a string like:
To quote William Shakespeare, "to be, or not to be".
The first alternative in the regex matches a very broad range of text and seems far too general. Is this intentional? It looks like the intent is to capture variations on quoted numbers but it's going above and beyond.
The rule:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
S|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\Z|[^\"'`]+))|(?:
\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|i
nsert|desc)\s*?\(\s*?space\s*?\())" \
"phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'8',\
capture,\
t:none,t:urlDecodeUni,\
block,\
msg:'Detects MySQL comment-/space-obfuscated injections and backtick ter
mination',\
id:942200,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"