coreruleset: Rule: 942370: False positive 0202

Description

[2021-08-05 10:19:57.] [-:error] ******* ***** [client ***.**.**.**] ModSecurity: Warning. Pattern match "(?i:[\\"'`](?:\\\\s*?(?:(?:\\\\*.+(?:(?:an|i)d|between|like|x?or|div)\\\\W*?[\\"'`]|(?:between|like|x?or|and|div)\\\\s[^\\\\d]+[\\\\w-]+.*?)\\\\d|[^\\\\w\\\\s?]+\\\\s*?[^\\\\w\\\\s]+\\\\s*?[\\"'`]|[^\\\\w\\\\s]+\\\\s*?[\\\\W\\\\d].*?(?:--|#))|.*?\\\\*\\\\s*?\\\\d)|[()\\\\*<>%+-][\\\\w-]+[^\\\\w\\\\s]+[\\" ..." at ARGS:fq. [file ****/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "994"] [id "942370"] [msg "Detects classic SQL injection probings 2/3"] [data "Matched Data: (siteName:\\x22T found within ARGS:fq: (siteName:\\x22TEST- -2-2\\x22)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "****"] [uri ***/"] [unique_id "***"]

Audit Logs / Triggered Rule Numbers

Your Environment

CRS version (e.g., v3.2.0): Paranoia level setting: 1 ModSecurity version (e.g., 2.9.3): Web Server and version (e.g., httpd 2.4.41): Operating System and version: RHEL 7.9

Confirmation

[ ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

Hi Guys,

I have enabled the paranoia-level =2 and getting the above false positive when I access the “sites” tab in my website, Could you please suggest the fix or any alterations in the rule to fix the issue?

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 31 (12 by maintainers)

Most upvoted comments

Can we close this issue?

I had given for 2 ID as a separate exception, It worked

Thanks a Lot @airween , Let me check and get back to you, Then I can proceed with closing the issue