Closed fuomag9 closed 1 year ago
I got the same issue:
{"level":"error","ts":1673544236.7567112,"logger":"http.handlers.waf","msg":"[client \"10.244.0.67\"] Coraza: Warning. HTTP Parameter Pollution (6) [file \"/ruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf\"] [line \"0\"] [id \"921180\"] [rev \"\"] [msg \"HTTP Parameter Pollution (6)\"] [data \"Matched Data: 61 found within TX:paramcounter_args_names: 2\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/137/15/460\"] [tag \"paranoia-level/3\"] [hostname \"\"] [uri \"/auth/signin\"] [unique_id \"6O9wmrLtst9uCuC0uJH\"]\n[client \"10.244.0.67\"] Coraza: Warning. HTTP Parameter Pollution (6) [file \"/ruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf\"] [line \"0\"] [id \"921180\"] [rev \"\"] [msg \"\"] [data \"\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/137/15/460\"] [tag \"paranoia-level/3\"] [hostname \"\"] [uri \"/auth/signin\"] [unique_id \"6O9wmrLtst9uCuC0uJH\"]\n"}
{"level":"error","ts":1673544237.6627173,"logger":"http.handlers.waf","msg":"[client \"10.244.0.67\"] Coraza: Warning. HTTP Parameter Pollution (3) [file \"/ruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf\"] [line \"0\"] [id \"921180\"] [rev \"\"] [msg \"HTTP Parameter Pollution (3)\"] [data \"Matched Data: db31 found within TX:paramcounter_args_names: 2\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/137/15/460\"] [tag \"paranoia-level/3\"] [hostname \"\"] [uri \"/auth/signin\"] [unique_id \"Jgn0Cp0kW7w3kKLGCzJ\"]\n[client \"10.244.0.67\"] Coraza: Warning. HTTP Parameter Pollution (3) [file \"/ruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf\"] [line \"0\"] [id \"921180\"] [rev \"\"] [msg \"\"] [data \"\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/137/15/460\"] [tag \"paranoia-level/3\"] [hostname \"\"] [uri \"/auth/signin\"] [unique_id \"Jgn0Cp0kW7w3kKLGCzJ\"]\n"}
This issue is being taken care in Coraza Core, thank you for your report
Hi, when using the recommended files and configuration with
4.0/dev
for coreruleset there is nohostname
value in logs and allSecRule SERVER_NAME
will not match as a consequenceFYI the same rules do work on modsecurity + nginx so they are NOT the issue
Relevant logs: