coreruleset: Rule 942200 triggers a substantial number of false positives.

Description

Not sure what rule 942200 is supposed to do exactly (as it’s not docummented nor has tests), but it yields a lot false-positives. For example, the simple payload like this gets blocked: ?text=yes, bob's.

For the corpus wikipedia_2016_1M it yields 28342 results.

$ grep -i -E -c -f regexes.txt ./eng_wikipedia_2016_1M/eng_wikipedia_2016_1M-sentences.txt
28342

The the most critical expression from 942200.data is ,.*?[)\da-f\"'`][\"'`][^\"'`]+ which alone yields 27983 results.

TBF, the rule doesn’t seem to be doing anything useful (except \Wselect.+\W*?from which doesn’t fit the rule and should be moved somewhere else) so I’d consider disabling it. One thing for sure it needs a docummentation and tests.

The usage of the word space also seems to be a bug.

About this issue

Original URL
State: open
Created 2 years ago
Reactions: 1
Comments: 21 (11 by maintainers)

Most upvoted comments

Adding them to RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf works, learning every day 😃

For people finding this ticket:

SecRuleUpdateTargetById 942260 !REQUEST_COOKIES
SecRuleUpdateTargetById 942340 !REQUEST_COOKIES
SecRuleUpdateTargetById 942200 !REQUEST_COOKIES
SecRuleUpdateTargetById 942370 !REQUEST_COOKIES

SecRuleUpdateTargetById 920300 !REQUEST_HEADERS

FYN-Michiel on Nov 10, 2022

Yes, that is correct. JSON in Cookies is really a nightmare. There’s nothing we can do on our side, at least not short-term. You will have to tune those rules. Deactivate the problematic ones or, better, dynamically exclude things that you know are benign.

theseion on Nov 9, 2022

msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination' space is a function in MysQL, apparently.

The SLQi rules are a mess and we’re in the process of cleaning them up. It will probably be a while before we can address this particular issue, so I’ve added a new sqli label.

theseion on May 29, 2022