search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.04k stars 1.58k forks source link

libModSecurity3: all triggered rule IDs sometimes won't be logged with anomaly scoring #3204

Open EsadCetiner opened 1 month ago

EsadCetiner commented 1 month ago

Describe the bug

ModSecurity sometimes doesn't fully log all of the rule IDs triggered within a request, this is annoying with false positives as you'll have to go through multiple tuning iterations just to resolve one false positive. This happens on both detection only mode and blocking mode. I haven't been able to find a reason behind what's causing this, but I do know how to trigger the issue.

Logs and dumps

N/A See below

To Reproduce

I have some test payloads in my SOGo plugin that have this issue, run them against CRS using go-ftw 0.6.4 https://coreruleset.org/docs/development/testing/ I'll be using this test as an example: https://github.com/EsadCetiner/sogo-rule-exclusions-plugin/blob/b224054707ca0d0e7b73c9af4b1ae265970baf98/tests/regression/sogo-rule-exclusions-plugin/9520130.yaml#L8

As an end user, I get a false positive like this:

---5DJqybFW---A--
[31/Jul/2024:16:30:10 +1000] 172240741056.351112 127.0.0.1 56232 127.0.0.1 8080
---5DJqybFW---B--
POST /SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Connection: close
Content-Length: 616
Content-Type: application/json;charset=UTF-8
Host: localhost
User-Agent: SOGo rule exclusions plugin

---5DJqybFW---C--
{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37:15.262Z", "$hasAlarm":false,"classification":"confidential","destinationCalendar":"personal","selected":false,"isNew":true, "id":"1BB-65E5EA80-1-7B69C580.ics","sendAppointmentNotifications":1,"attachUrls":[{"value":"https://example.com/"}], "summary":"test","due":"2024-03-04T15:30:26.610Z","dueDate":"2024-03-05","start":"2024-03-04T15:30:27.775Z","priority":4,"comment":"test", "location":"test","startDate":"2024-03-05","startTime":"02:30","endDate":"","endTime":"","dueTime":"02:30","completedDate":"2024-03-05"}

---5DJqybFW---D--

---5DJqybFW---E--
<html>\x0d\x0a<head><title>404 Not Found</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>404 Not Found</h1></center>\x0d\x0a<hr><center>nginx/1.18.0 (Ubuntu)</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---5DJqybFW---F--
HTTP/1.1 404
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 31 Jul 2024 06:30:10 GMT
Content-Length: 162
Content-Type: text/html
Connection: close

---5DJqybFW---H--
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `REQUEST_BODY' (Value: `{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37: (516 characters omitted)' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "REQUEST_BODY={\x22categories\x22:[],\x22alarm\x22:{},\x22delta\x22:60,\x22pid\x22:\x22personal\x22,\x22type\x22:\x22task\x22,\x22completed\x22:\x222024-03-04T15:37:15.262Z\x22, \x22$hasAlarm\x22:false,\x22classification\x22:\x22confidential\x22,\x22destinationCalendar\x22:\x22pers (429 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUnio0,1o1,1o12,1o14,1o15,1o17,1o23,1o25,1o26,1o28,1o34,1o39,1o43,1o45,1o54,1o56,1o61,1o63,1o68,1o70,1o80,1o82,1o107,1o109,1o110,1o111,1o120,1o128,1 (526 characters omitted)"]
ModSecurity: Warning. Matched "Operator `EndsWith' with parameter `.localhost' against variable `TX:rfi_parameter_ARGS:json.attachUrls.array_0.value' (Value: `.example.com' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf"] [line "116"] [id "931130"] [rev ""] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: https://example.com found within TX:rfi_parameter_ARGS:json.attachUrls.array_0.value: .example.com"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-rfi"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/175/253"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o0,19o8,11v30,20"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.completedDate' (Value: `2024-03-05' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -03- found within ARGS:json.completedDate: 2024-03-05"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUnio4,4o4,4v19,10t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `41' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 41)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref ""]

So then I create a rule exclusion thinking it'll fix the issue

SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Calendar/[^/]+/[^/]+\.ics/saveAsTask$" \
    "id:1,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=942432;ARGS:json.completedDate,\
    ctl:ruleRemoveTargetById=931130;ARGS:json.attachUrls.array_0.value,\
    ctl:ruleRemoveTargetById=920273;REQUEST_BODY"

Then later on I encounter the exact same false positive with the exact same payload:

---ibRMdl5Z---A--
[02/Aug/2024:13:12:32 +1000] 17225683525.862245 127.0.0.1 49264 127.0.0.1 8080
---ibRMdl5Z---B--
POST /SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Connection: close
Content-Length: 616
Content-Type: application/json;charset=UTF-8
Host: localhost
User-Agent: SOGo rule exclusions plugin

---ibRMdl5Z---C--
{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37:15.262Z", "$hasAlarm":false,"classification":"confidential","destinationCalendar":"personal","selected":false,"isNew":true, "id":"1BB-65E5EA80-1-7B69C580.ics","sendAppointmentNotifications":1,"attachUrls":[{"value":"https://example.com/"}], "summary":"test","due":"2024-03-04T15:30:26.610Z","dueDate":"2024-03-05","start":"2024-03-04T15:30:27.775Z","priority":4,"comment":"test", "location":"test","startDate":"2024-03-05","startTime":"02:30","endDate":"","endTime":"","dueTime":"02:30","completedDate":"2024-03-05"}

---ibRMdl5Z---D--

---ibRMdl5Z---E--
<html>\x0d\x0a<head><title>404 Not Found</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>404 Not Found</h1></center>\x0d\x0a<hr><center>nginx/1.18.0 (Ubuntu)</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---ibRMdl5Z---F--
HTTP/1.1 404
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 02 Aug 2024 03:12:32 GMT
Content-Length: 162
Content-Type: text/html
Connection: close

---ibRMdl5Z---H--
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `ARGS_NAMES:json.$hasAlarm' (Value: `json.$hasAlarm' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS_NAMES:json.$hasAlarm=json.$hasAlarm"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.id' (Value: `1BB-65E5EA80-1-7B69C580.ics' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -65E5EA80- found within ARGS:json.id: 1BB-65E5EA80-1-7B69C580.ics"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `28' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 28)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref ""]

---ibRMdl5Z---I--

Now I have to modify my previous rule exclusion to exclude the new rule IDs showing up

SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Calendar/[^/]+/[^/]+\.ics/saveAsTask$" \
    "id:1,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=920273;ARGS_NAMES:json.$hasAlarm,\
    ctl:ruleRemoveTargetById=942432;ARGS:json.completedDate,\
    ctl:ruleRemoveTargetById=942432;ARGS:json.id,\
    ctl:ruleRemoveTargetById=931130;ARGS:json.attachUrls.array_0.value,\
    ctl:ruleRemoveTargetById=920273;REQUEST_BODY"

But if you pay attention to the anomaly score, you'll see that there's a score of 28 but only 2 rules have been logged (both adding up to 8 points). I'll have to do a few more iterations before this false positive can be fully resolved.

Expected behavior

I should be able to see all of the rule IDs triggered the first time so I can fully resolve the false positive the first time. Something like this:

---ibRMdl5Z---A--
[02/Aug/2024:13:12:32 +1000] 17225683525.862245 127.0.0.1 49264 127.0.0.1 8080
---ibRMdl5Z---B--
POST /SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Connection: close
Content-Length: 616
Content-Type: application/json;charset=UTF-8
Host: localhost
User-Agent: SOGo rule exclusions plugin

---ibRMdl5Z---C--
{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37:15.262Z", "$hasAlarm":false,"classification":"confidential","destinationCalendar":"personal","selected":false,"isNew":true, "id":"1BB-65E5EA80-1-7B69C580.ics","sendAppointmentNotifications":1,"attachUrls":[{"value":"https://example.com/"}], "summary":"test","due":"2024-03-04T15:30:26.610Z","dueDate":"2024-03-05","start":"2024-03-04T15:30:27.775Z","priority":4,"comment":"test", "location":"test","startDate":"2024-03-05","startTime":"02:30","endDate":"","endTime":"","dueTime":"02:30","completedDate":"2024-03-05"}

---ibRMdl5Z---D--

---ibRMdl5Z---E--
<html>\x0d\x0a<head><title>404 Not Found</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>404 Not Found</h1></center>\x0d\x0a<hr><center>nginx/1.18.0 (Ubuntu)</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---ibRMdl5Z---F--
HTTP/1.1 404
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 02 Aug 2024 03:12:32 GMT
Content-Length: 162
Content-Type: text/html
Connection: close

---ibRMdl5Z---H--
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `REQUEST_BODY' (Value: `{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37: (516 characters omitted)' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "REQUEST_BODY={\x22categories\x22:[],\x22alarm\x22:{},\x22delta\x22:60,\x22pid\x22:\x22personal\x22,\x22type\x22:\x22task\x22,\x22completed\x22:\x222024-03-04T15:37:15.262Z\x22, \x22$hasAlarm\x22:false,\x22classification\x22:\x22confidential\x22,\x22destinationCalendar\x22:\x22pers (429 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUnio0,1o1,1o12,1o14,1o15,1o17,1o23,1o25,1o26,1o28,1o34,1o39,1o43,1o45,1o54,1o56,1o61,1o63,1o68,1o70,1o80,1o82,1o107,1o109,1o110,1o111,1o120,1o128,1 (526 characters omitted)"]
ModSecurity: Warning. Matched "Operator `EndsWith' with parameter `.localhost' against variable `TX:rfi_parameter_ARGS:json.attachUrls.array_0.value' (Value: `.example.com' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf"] [line "116"] [id "931130"] [rev ""] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: https://example.com found within TX:rfi_parameter_ARGS:json.attachUrls.array_0.value: .example.com"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-rfi"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/175/253"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o0,19o8,11v30,20"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.completedDate' (Value: `2024-03-05' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -03- found within ARGS:json.completedDate: 2024-03-05"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUnio4,4o4,4v19,10t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `ARGS_NAMES:json.$hasAlarm' (Value: `json.$hasAlarm' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS_NAMES:json.$hasAlarm=json.$hasAlarm"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.id' (Value: `1BB-65E5EA80-1-7B69C580.ics' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -65E5EA80- found within ARGS:json.id: 1BB-65E5EA80-1-7B69C580.ics"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `ARGS:json.attachUrls.array_0.value' (Value: `https://example.com/' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS:json.attachUrls.array_0.value=https://example.com/"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172256882058.056791"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.completed' (Value: `2024-03-04T15:37:15.262Z' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -03- found within ARGS:json.completed: 2024-03-04T15:37:15.262Z"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172256882058.056791"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `28' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 28)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref ""]

---ibRMdl5Z---I--

Server:

Rule Set: CRSv4.5.0

Additional context

N/A

airween commented 1 month ago

Hi @EsadCetiner,

thanks for this detailed report.

First of all, let me ask you: lines in H section under expected behavior part have different unique_id. There are 3 or 4 different id, but - as I know - in a transaction the unique id's must be the same.

Is this just a typo?

Btw there is known bug in libmodsecurity3: if a rule matches with multiple targets, then only one target will be logged. But the TX anomaly score is incremented "normally". May be you ran into this problem?

EsadCetiner commented 1 month ago

@EsadCetiner

First of all, let me ask you: lines in H section under expected behavior part have different unique_id. There are 3 or 4 different id, but - as I know - in a transaction the unique id's must be the same.

Is this just a typo?

Yes, I was just showing how I approximately wanted the log output to look like.

Btw there is known bug in libmodsecurity3: if a rule matches with multiple targets, then only one target will be logged. But the TX anomaly score is incremented "normally". May be you ran into this problem?

Yeah I think that's the issue I'm encountering. Only 3 rules are being triggered in the example payload I used, 942432, 931130, and 920273 (I didn't notice this before). By the way, I couldn't find an open issue related to this in this repo or the nginx one.

airween commented 1 month ago

Okay, thanks for confirm the behavior.

By the way, I couldn't find an open issue related to this in this repo or the nginx one.

Then this is the one which describes the bug :).

Thanks.