search

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
https://modsecurity.org/crs
Apache License 2.0
2.45k stars 728 forks source link

False Positive Blocks Grafana #1246

Closed gordan-bobic closed 6 years ago

gordan-bobic commented 6 years ago

Type of Issue

False Positive

Description

Rule:

SecRule ARGS "\W{4,}" "phase:2,capture,t:none,t:urlDecodeUni,block,id:'960024',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',msg:'Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"

Error Log:

[Sun Nov 25 19:08:14.001163 2018] [:error] [pid 43694] [client 81.174.139.133:38994] [client 81.174.139.133] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:query. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: =~\\x22\\x22}  found within ARGS:query: (node_memory_MemAvailable{instance=~\\x22\\x22} or \\x0a(node_memory_MemFree{instance=~\\x22\\x22}   node_memory_Buffers{instance=~\\x22\\x22}   node_memory_Cached{instance=~\\x22\\x22})) / \\x0anode_memory_MemTotal{instance=~\\x22\\x22} * 100"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [hostname "pmm.example.net"] [uri "/graph/api/datasources/proxy/1/api/v1/query_range"] [unique_id "W-rzHcfltHgW9QW3@BtcKgAAAAE"], referer: https://pmm.example.net/graph/d/Fxvd1timk/home-dashboard?orgId=1

Audit Log:

--22250c08-H--
Message: Access denied with code 403 (phase 2). Pattern match "\\W{4,}" at ARGS:query. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data:  () (( found within ARGS:query: avg by () ((sum by (instance,cpu) ( (clamp_max(rate(node_cpu{instance=~\x22\x22,mode!='idle',mode!=\x22iowait\x22}[5m]),1)) or  \x0a(clamp_max(irate(node_cpu{instance=~\x22\x22,mode!='idle',mode!=\x22iowait\x22}[5m]),1)) ))*100 or \x0asum by () (avg_over_time(node_cpu_average{instance=~\x22\x22,mode!=\x22idle\x22, mode!=\x22total\x22,mode!=\x22idle\x22}[5m]) or \x0aavg_over_time(node_cpu_average{instance=~\x22\x22,mode!=\x22idle\x22,mode!=\x22total\x22,mode!=..."] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 81.174.139.133] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\\\\\W{4,}" at ARGS:query. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data:  () (( found within ARGS:query: avg by () ((sum by (instance,cpu) ( (clamp_max(rate(node_cpu{instance=~\\\\x22\\\\x22,mode!='idle',mode!=\\\\x22iowait\\\\x22}[5m]),1)) or  \\\\x0a(clamp_max(irate(node_cpu{instance=~\\\\x22\\\\x22,mode!='idle',mode!=\\\\x22iowait\\\\x22}[5m]),1)) ))*100 or \\\\x0asum by () (avg_over_time(node_cpu_average{instance=~\\\\x22\\\\x22,mode!=\\\\x22idle\\\\x22, mode!=\\\\x22total\\\\x22,mode!=\\\\x22idle\\\\x22}[5m]) or \\\\x0aavg_over_time(node_cpu_average{instance=~\\\\x22\\\\x22,mode!=\\\\x22idle\\\\x22,mode!=\\\\x22total\\\\x22,mode!=..."] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [hostname "pmm.example.net"] [uri "/graph/api/datasources/proxy/1/api/v1/query_range"] [unique_id "W-rzHfukWkjDdc-Q8UxG5wAAAAw"]
Action: Intercepted (phase 2)
Apache-Handler: proxy-server
Stopwatch: 1543172893807566 118639 (- - -)
Stopwatch2: 1543172893807566 118639; combined=118078, p1=117892, p2=133, p3=0, p4=0, p5=53, sr=135, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Engine-Mode: "ENABLED"

--22250c08-Z--

Your Environment

Confirmation

dune73 commented 6 years ago

Thank you for reporting. Unfortunately, you are using an outdated version of CRS.

CRS 3.0.0 came out two years ago. It solves over 90% of the false positives. Please upgrade!