coreruleset: Rule: 942370: False positive 0202 - reopened
Description
[2021-08-05 10:19:57.] [-:error] ******* ***** [client ***.**.**.**] ModSecurity: Warning. Pattern match "(?i:[\\"'`](?:\\\\s*?(?:(?:\\\\*.+(?:(?:an|i)d|between|like|x?or|div)\\\\W*?[\\"'`]|(?:between|like|x?or|and|div)\\\\s[^\\\\d]+[\\\\w-]+.*?)\\\\d|[^\\\\w\\\\s?]+\\\\s*?[^\\\\w\\\\s]+\\\\s*?[\\"'`]|[^\\\\w\\\\s]+\\\\s*?[\\\\W\\\\d].*?(?:--|#))|.*?\\\\*\\\\s*?\\\\d)|[()\\\\*<>%+-][\\\\w-]+[^\\\\w\\\\s]+[\\" ..." at ARGS:fq. [file ****/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "994"] [id "942370"] [msg "Detects classic SQL injection probings 2/3"] [data "Matched Data: (siteName:\\x22T found within ARGS:fq: (siteName:\\x22TEST- -2-2\\x22)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "****"] [uri ***/"] [unique_id "***"]
Audit Logs / Triggered Rule Numbers Your Environment CRS version (e.g., v3.2.0): Paranoia level setting: 1 ModSecurity version (e.g., 2.9.3): Web Server and version (e.g., httpd 2.4.41): Operating System and version: RHEL 7.9
Confirmation [ ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
Hi Guys,
I have enabled the paranoia-level =2 and getting the above false positive when I access the “sites” tab in my website, Could you please suggest the fix or any alterations in the rule to fix the issue?
Fix has been given in https://github.com/coreruleset/coreruleset/issues/2173
But the fix seems to be not accepted by project people, Could you please provide an alternate solution, that our security team is not accepting that we allow the WAF to work with an single argument (q), They are expecting that it may affect the WAF. So you have any alternate suggestion on this? Also there is any possibilities that we can check what has been blocked?
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 55 (23 by maintainers)
@Shajin02 Hi, that won’t work exactly as you wrote it. First, try to always embed the code part using three backticks, otherwise it is harder to read 😄
id
in both rules.SecRule
s should use the same REQUEST_FILENAME probably.ctl:ruleRemoveTargetById=942130;ARGS:<the matched argument>
together (separated by commas).Regarding what the waf is blocking, it is blocking the function call
cos()
, that can be used in SQL Injections.