coreruleset: False positive in ARGS_NAMES for strings starting with `sh` at PL1

We might need to adjust rule 932250 to match a word boundary or entirely remove sh. The following two FP’s were reported (https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/pull/13#issuecomment-1478016465):

[Tue Mar 21 20:08:32.933165 2023] [:error] [pid 84006] [client 127.0.0.1:39176] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i)(?:^|=)[\\\\s\\\\v]*(?:t[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\| &&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?-@_a-\\\\{]*)?\\\\x5c?i[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\| |&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?-@_a-\\\\{]*)?\\\\x5c?m[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\| |&&)[\\\\s\\\\v]*)?\\\\$[ ..." at ARGS_NAMES:shared_with_me. [file "/etc/modsecurity/coreruleset/rules/REQUEST-932- APPLICATION-ATTACK-RCE.conf"] [line "454"] [id "932250"] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: sh found within ARGS_NAMES:shared_with_me: shared_with_me"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/ocs/v2.php/apps/files_sharing/api/v1/shares"] [unique_id "ZBnBaIuP46e4C-fX7gSDlgAAAAQ"]

[Tue Mar 21 20:08:49.103324 2023] [:error] [pid 84024] [client 127.0.0.1:48878] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i)(?:^|=)[\\\\s\\\\v]*(?:t[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\| |&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?-@_a-\\\\{]*)?\\\\x5c?i[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\| |&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?-@_a-\\\\{]*)?\\\\x5c?m[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\| |&&)[\\\\s\\\\v]*)?\\\\$[ ..." at ARGS_NAMES:shareType. [file "/etc/modsecurity/coreruleset/rules/REQUEST-932- APPLICATION-ATTACK-RCE.conf"] [line "454"] [id "932250"] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: sh found within ARGS_NAMES:shareType: shareType"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/ocs/v2.php/apps/files_sharing/api/v1/shares"] [unique_id "ZBnBeayMuETcCwNBO4PTKAAAAAg"]

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 15 (15 by maintainers)

Most upvoted comments

got the same problem with thousands of alerts. here another good example. [id "932236"] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: fi found within ARGS_NAMES:field_metatags[0][advanced][rights]"] i think thats too strict for ARGS_NAMES in PL2

+1
emphazer on Mar 28, 2023

Yes, that’s what I thought.

+1
theseion on Mar 27, 2023

I understand the urgency, but please understand that this is a change for 4.0, which hasn’t yet been released. I’ll look at it as soon as I can.

+1
theseion on Mar 25, 2023
Read more comments on GitHub
← coreruleset: Failed to block .phps and .htaccess file upload in #REQUEST-933-APPLICATION-ATTACK-PHP rules
coreruleset: False positive response to Cyrillic characters in a string →