Christian Folini
2016-02-02 08:06:00 UTC
Hello,
Walter has added substantial feedback on the list of possible paranoia
mode candidates. I think 8 candidates are controversial (out of about 45
candidates).
I'd like to discuss them here one by one.
Controversial Paranoia Mode Candidate 950120 (2.2.X) / 931130 (3.0.0rc1)
msg: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
Rule in 2.2.9:
SecRule ARGS "^(?:ht|f)tps?://(.*)$" \
"chain,phase:2,rev:'3',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950120',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI'"
SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"
Rule in 3.0.0rc1:
SecRule ARGS "^(?:ht|f)tps?://(.*)$" \
"chain,\
phase:request,\
rev:'3',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'9',\
t:none,\
capture,\
ctl:auditLogParts=+E,\
block,\
msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
id:'931130',\
severity:'CRITICAL',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-remote file inclusion',\
tag:'OWASP_CRS/WEB_ATTACK/RFI'"
SecRule TX:1 "!@beginsWith %{request_headers.host}" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:tx.rfi_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"
Rule in 2.2.9:
SecRule ARGS "^(?:ht|f)tps?://(.*)$" \
"chain,phase:2,rev:'3',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950120',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI'"
SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"
In my blogpost at
https://www.netnea.com/cms/2016/01/17/most-frequent-false-positives-triggered-by-owasp-modsecurity-core-rules-2-2-x/
I identified the said rule as one with very few false positives. Walter however brought it up as a rule with many false positives.
A wider perspective is thus needed.
Does anybody has anything to add?
Best,
Christian
--
mailto:***@netnea.com
http://www.christian-folini.ch
twitter: @ChrFolini
Walter has added substantial feedback on the list of possible paranoia
mode candidates. I think 8 candidates are controversial (out of about 45
candidates).
I'd like to discuss them here one by one.
Controversial Paranoia Mode Candidate 950120 (2.2.X) / 931130 (3.0.0rc1)
msg: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
Rule in 2.2.9:
SecRule ARGS "^(?:ht|f)tps?://(.*)$" \
"chain,phase:2,rev:'3',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950120',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI'"
SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"
Rule in 3.0.0rc1:
SecRule ARGS "^(?:ht|f)tps?://(.*)$" \
"chain,\
phase:request,\
rev:'3',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'9',\
t:none,\
capture,\
ctl:auditLogParts=+E,\
block,\
msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
id:'931130',\
severity:'CRITICAL',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-remote file inclusion',\
tag:'OWASP_CRS/WEB_ATTACK/RFI'"
SecRule TX:1 "!@beginsWith %{request_headers.host}" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:tx.rfi_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"
Rule in 2.2.9:
SecRule ARGS "^(?:ht|f)tps?://(.*)$" \
"chain,phase:2,rev:'3',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950120',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI'"
SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"
In my blogpost at
https://www.netnea.com/cms/2016/01/17/most-frequent-false-positives-triggered-by-owasp-modsecurity-core-rules-2-2-x/
I identified the said rule as one with very few false positives. Walter however brought it up as a rule with many false positives.
A wider perspective is thus needed.
Does anybody has anything to add?
Best,
Christian
--
mailto:***@netnea.com
http://www.christian-folini.ch
twitter: @ChrFolini