Open isniukArte opened 4 weeks ago
Thank you for your report and sorry for the inconvenience. I can confirm the false positive:
curl -H "x-crs-paranoia-level: 2" -H "x-format-output: txt-matched-rules" -A "Mozilla/5.0 (Linux; Android 14;
PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36" https://
sandbox.coreruleset.org/
932239 PL2 Remote Command Execution: Unix Command Injection found in user-agent or referer header
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=0-5-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)
Indeed, this user-agent seems to be legit. I don't find an exact match, but two (or more) close examples, where we also find this ; PG
as part of the user-agent string:
I think this false positive could be resolved by adding pg
or pgt
(I'll have to find out) to the file that handles user-agent exclusions for rule 932230.
I can provide a PR for that so that this false positive gets resolved for the next CRS release.
Description
We have a lot of absolutely legal requests from real users with User-Agent like this:
Mozilla/5.0 (Linux; Android 14; PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36
These requests are blocked by 932239 with reason:
Matched Data: ; PG found within REQUEST_HEADERS:user-agent: Mozilla/5.0 (Linux; Android 14; PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36
How to reproduce the misbehavior (-> curl call)
Your Environment
Confirmation
[ ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.