coreruleset: Rule Id: 932150 false positive on time keyword
Description
Request “/api/v1/query?q=time+warner”, “GET”, “1.1” returned 403.
Rule Id: 932150 phase: 2
- Match, but no disruptive action: ModSecurity: Warning. Matched "Operator
Rx' with parameter
(?:^|=)\s*(?:{|\s*(\s*|\w+=(?:[^\s]|$.|$.|<.|>.|'.'|".")\s+|!\s|$)\s(?:‘|")(?:[?*[]()-|+\w’"./\\]+/)?[\\'"](?:l[\\’"](?😒(?:[\\'"](?:b[\\‘"]*_[\\’"]*r (6252 characters omitted)’ against variableARGS:q' (Value:
time warner’ ) [file “/opt/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf”] [line “444”] [id “932150”] [rev “”] [msg “Remote Command Execution: Direct Unix Command Execution”] [data “Matched Data: time found within ARGS:q: time warner”] [severity “2”] [ver “OWASP_CRS/3.3.0”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-shell”] [tag “platform-unix”] [tag “attack-rce”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/152/248/88”] [tag “PCI/6.5.2”] [hostname “”] [uri “/api/v1/query”] [unique_id “161670536857.434291”] [ref “o0,5v20,11”]
Log: [client ] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter
5’ against variable TX:ANOMALY_SCORE' (Value:
5’ ) [file “/opt/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “138”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “OWASP_CRS/3.3.0”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “”] [uri “/api/v1/query”] [unique_id “161670536857.434291”] [ref “”]
Intervention, returning code: 403
Your Environment
- CRS version: default v3.4/dev
- Paranoia level setting:
- ModSecurity version : 3.0.4
- Web Server and version :
- Operating System and version: Amazon Linux 2
Confirmation
[x ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 16 (14 by maintainers)
I tried an approach which was not fruitful and I have to dig into it more. Thanks for your patience.
I’m willing to help.
But I am not sure how to build and test the changes.
Instructions on how to build the changes from scratch will help.
In order to modify the regexp, it is the same procedure that I described in https://github.com/coreruleset/coreruleset/issues/2071#issuecomment-837235485. After changing the source patterns, the compressed regexp has to be built.
I’m not exactly up to date on the proposed change but will be very interested to hear more.
We talked about this in the April issue chat. Here is our conclusion:
@flo405 has a plan how to solve this plus some additional bypasses. He will coordinate with @franbuehler who self-assigned.