ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

libModSecurity3: all triggered rule IDs sometimes won't be logged with anomaly scoring

Open EsadCetiner opened this issue 1 year ago • 3 comments

Describe the bug

ModSecurity sometimes doesn't fully log all of the rule IDs triggered within a request, this is annoying with false positives as you'll have to go through multiple tuning iterations just to resolve one false positive. This happens on both detection only mode and blocking mode. I haven't been able to find a reason behind what's causing this, but I do know how to trigger the issue.

Logs and dumps

N/A See below

To Reproduce

I have some test payloads in my SOGo plugin that have this issue, run them against CRS using go-ftw 0.6.4 https://coreruleset.org/docs/development/testing/ I'll be using this test as an example: https://github.com/EsadCetiner/sogo-rule-exclusions-plugin/blob/b224054707ca0d0e7b73c9af4b1ae265970baf98/tests/regression/sogo-rule-exclusions-plugin/9520130.yaml#L8

As an end user, I get a false positive like this:

---5DJqybFW---A--
[31/Jul/2024:16:30:10 +1000] 172240741056.351112 127.0.0.1 56232 127.0.0.1 8080
---5DJqybFW---B--
POST /SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Connection: close
Content-Length: 616
Content-Type: application/json;charset=UTF-8
Host: localhost
User-Agent: SOGo rule exclusions plugin

---5DJqybFW---C--
{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37:15.262Z", "$hasAlarm":false,"classification":"confidential","destinationCalendar":"personal","selected":false,"isNew":true, "id":"1BB-65E5EA80-1-7B69C580.ics","sendAppointmentNotifications":1,"attachUrls":[{"value":"https://example.com/"}], "summary":"test","due":"2024-03-04T15:30:26.610Z","dueDate":"2024-03-05","start":"2024-03-04T15:30:27.775Z","priority":4,"comment":"test", "location":"test","startDate":"2024-03-05","startTime":"02:30","endDate":"","endTime":"","dueTime":"02:30","completedDate":"2024-03-05"}

---5DJqybFW---D--

---5DJqybFW---E--
<html>\x0d\x0a<head><title>404 Not Found</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>404 Not Found</h1></center>\x0d\x0a<hr><center>nginx/1.18.0 (Ubuntu)</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---5DJqybFW---F--
HTTP/1.1 404
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 31 Jul 2024 06:30:10 GMT
Content-Length: 162
Content-Type: text/html
Connection: close

---5DJqybFW---H--
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `REQUEST_BODY' (Value: `{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37: (516 characters omitted)' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "REQUEST_BODY={\x22categories\x22:[],\x22alarm\x22:{},\x22delta\x22:60,\x22pid\x22:\x22personal\x22,\x22type\x22:\x22task\x22,\x22completed\x22:\x222024-03-04T15:37:15.262Z\x22, \x22$hasAlarm\x22:false,\x22classification\x22:\x22confidential\x22,\x22destinationCalendar\x22:\x22pers (429 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUnio0,1o1,1o12,1o14,1o15,1o17,1o23,1o25,1o26,1o28,1o34,1o39,1o43,1o45,1o54,1o56,1o61,1o63,1o68,1o70,1o80,1o82,1o107,1o109,1o110,1o111,1o120,1o128,1 (526 characters omitted)"]
ModSecurity: Warning. Matched "Operator `EndsWith' with parameter `.localhost' against variable `TX:rfi_parameter_ARGS:json.attachUrls.array_0.value' (Value: `.example.com' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf"] [line "116"] [id "931130"] [rev ""] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: https://example.com found within TX:rfi_parameter_ARGS:json.attachUrls.array_0.value: .example.com"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-rfi"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/175/253"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o0,19o8,11v30,20"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.completedDate' (Value: `2024-03-05' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -03- found within ARGS:json.completedDate: 2024-03-05"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUnio4,4o4,4v19,10t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `41' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 41)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref ""]

So then I create a rule exclusion thinking it'll fix the issue

SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Calendar/[^/]+/[^/]+\.ics/saveAsTask$" \
    "id:1,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=942432;ARGS:json.completedDate,\
    ctl:ruleRemoveTargetById=931130;ARGS:json.attachUrls.array_0.value,\
    ctl:ruleRemoveTargetById=920273;REQUEST_BODY"

Then later on I encounter the exact same false positive with the exact same payload:

---ibRMdl5Z---A--
[02/Aug/2024:13:12:32 +1000] 17225683525.862245 127.0.0.1 49264 127.0.0.1 8080
---ibRMdl5Z---B--
POST /SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Connection: close
Content-Length: 616
Content-Type: application/json;charset=UTF-8
Host: localhost
User-Agent: SOGo rule exclusions plugin

---ibRMdl5Z---C--
{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37:15.262Z", "$hasAlarm":false,"classification":"confidential","destinationCalendar":"personal","selected":false,"isNew":true, "id":"1BB-65E5EA80-1-7B69C580.ics","sendAppointmentNotifications":1,"attachUrls":[{"value":"https://example.com/"}], "summary":"test","due":"2024-03-04T15:30:26.610Z","dueDate":"2024-03-05","start":"2024-03-04T15:30:27.775Z","priority":4,"comment":"test", "location":"test","startDate":"2024-03-05","startTime":"02:30","endDate":"","endTime":"","dueTime":"02:30","completedDate":"2024-03-05"}

---ibRMdl5Z---D--

---ibRMdl5Z---E--
<html>\x0d\x0a<head><title>404 Not Found</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>404 Not Found</h1></center>\x0d\x0a<hr><center>nginx/1.18.0 (Ubuntu)</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---ibRMdl5Z---F--
HTTP/1.1 404
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 02 Aug 2024 03:12:32 GMT
Content-Length: 162
Content-Type: text/html
Connection: close

---ibRMdl5Z---H--
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `ARGS_NAMES:json.$hasAlarm' (Value: `json.$hasAlarm' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS_NAMES:json.$hasAlarm=json.$hasAlarm"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.id' (Value: `1BB-65E5EA80-1-7B69C580.ics' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -65E5EA80- found within ARGS:json.id: 1BB-65E5EA80-1-7B69C580.ics"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `28' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 28)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref ""]

---ibRMdl5Z---I--

Now I have to modify my previous rule exclusion to exclude the new rule IDs showing up

SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Calendar/[^/]+/[^/]+\.ics/saveAsTask$" \
    "id:1,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=920273;ARGS_NAMES:json.$hasAlarm,\
    ctl:ruleRemoveTargetById=942432;ARGS:json.completedDate,\
    ctl:ruleRemoveTargetById=942432;ARGS:json.id,\
    ctl:ruleRemoveTargetById=931130;ARGS:json.attachUrls.array_0.value,\
    ctl:ruleRemoveTargetById=920273;REQUEST_BODY"

But if you pay attention to the anomaly score, you'll see that there's a score of 28 but only 2 rules have been logged (both adding up to 8 points). I'll have to do a few more iterations before this false positive can be fully resolved.

Expected behavior

I should be able to see all of the rule IDs triggered the first time so I can fully resolve the false positive the first time. Something like this:

---ibRMdl5Z---A--
[02/Aug/2024:13:12:32 +1000] 17225683525.862245 127.0.0.1 49264 127.0.0.1 8080
---ibRMdl5Z---B--
POST /SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Connection: close
Content-Length: 616
Content-Type: application/json;charset=UTF-8
Host: localhost
User-Agent: SOGo rule exclusions plugin

---ibRMdl5Z---C--
{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37:15.262Z", "$hasAlarm":false,"classification":"confidential","destinationCalendar":"personal","selected":false,"isNew":true, "id":"1BB-65E5EA80-1-7B69C580.ics","sendAppointmentNotifications":1,"attachUrls":[{"value":"https://example.com/"}], "summary":"test","due":"2024-03-04T15:30:26.610Z","dueDate":"2024-03-05","start":"2024-03-04T15:30:27.775Z","priority":4,"comment":"test", "location":"test","startDate":"2024-03-05","startTime":"02:30","endDate":"","endTime":"","dueTime":"02:30","completedDate":"2024-03-05"}

---ibRMdl5Z---D--

---ibRMdl5Z---E--
<html>\x0d\x0a<head><title>404 Not Found</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>404 Not Found</h1></center>\x0d\x0a<hr><center>nginx/1.18.0 (Ubuntu)</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---ibRMdl5Z---F--
HTTP/1.1 404
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 02 Aug 2024 03:12:32 GMT
Content-Length: 162
Content-Type: text/html
Connection: close

---ibRMdl5Z---H--
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `REQUEST_BODY' (Value: `{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37: (516 characters omitted)' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "REQUEST_BODY={\x22categories\x22:[],\x22alarm\x22:{},\x22delta\x22:60,\x22pid\x22:\x22personal\x22,\x22type\x22:\x22task\x22,\x22completed\x22:\x222024-03-04T15:37:15.262Z\x22, \x22$hasAlarm\x22:false,\x22classification\x22:\x22confidential\x22,\x22destinationCalendar\x22:\x22pers (429 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUnio0,1o1,1o12,1o14,1o15,1o17,1o23,1o25,1o26,1o28,1o34,1o39,1o43,1o45,1o54,1o56,1o61,1o63,1o68,1o70,1o80,1o82,1o107,1o109,1o110,1o111,1o120,1o128,1 (526 characters omitted)"]
ModSecurity: Warning. Matched "Operator `EndsWith' with parameter `.localhost' against variable `TX:rfi_parameter_ARGS:json.attachUrls.array_0.value' (Value: `.example.com' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf"] [line "116"] [id "931130"] [rev ""] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: https://example.com found within TX:rfi_parameter_ARGS:json.attachUrls.array_0.value: .example.com"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-rfi"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/175/253"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o0,19o8,11v30,20"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.completedDate' (Value: `2024-03-05' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -03- found within ARGS:json.completedDate: 2024-03-05"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUnio4,4o4,4v19,10t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `ARGS_NAMES:json.$hasAlarm' (Value: `json.$hasAlarm' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS_NAMES:json.$hasAlarm=json.$hasAlarm"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.id' (Value: `1BB-65E5EA80-1-7B69C580.ics' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -65E5EA80- found within ARGS:json.id: 1BB-65E5EA80-1-7B69C580.ics"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `ARGS:json.attachUrls.array_0.value' (Value: `https://example.com/' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS:json.attachUrls.array_0.value=https://example.com/"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172256882058.056791"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.completed' (Value: `2024-03-04T15:37:15.262Z' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -03- found within ARGS:json.completed: 2024-03-04T15:37:15.262Z"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172256882058.056791"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `28' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 28)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref ""]

---ibRMdl5Z---I--

Server:

  • ModSecurity version: ModSecurity v3.0.12 with nginx-connector v1.0.3
  • WebServer: Nginx 1.18.0
  • OS (and distro): Ubuntu 22.04

Rule Set: CRSv4.5.0

Additional context

N/A

EsadCetiner avatar Aug 02 '24 03:08 EsadCetiner

Hi @EsadCetiner,

thanks for this detailed report.

First of all, let me ask you: lines in H section under expected behavior part have different unique_id. There are 3 or 4 different id, but - as I know - in a transaction the unique id's must be the same.

Is this just a typo?

Btw there is known bug in libmodsecurity3: if a rule matches with multiple targets, then only one target will be logged. But the TX anomaly score is incremented "normally". May be you ran into this problem?

airween avatar Aug 06 '24 16:08 airween

@EsadCetiner

First of all, let me ask you: lines in H section under expected behavior part have different unique_id. There are 3 or 4 different id, but - as I know - in a transaction the unique id's must be the same.

Is this just a typo?

Yes, I was just showing how I approximately wanted the log output to look like.

Btw there is known bug in libmodsecurity3: if a rule matches with multiple targets, then only one target will be logged. But the TX anomaly score is incremented "normally". May be you ran into this problem?

Yeah I think that's the issue I'm encountering. Only 3 rules are being triggered in the example payload I used, 942432, 931130, and 920273 (I didn't notice this before). By the way, I couldn't find an open issue related to this in this repo or the nginx one.

EsadCetiner avatar Aug 07 '24 07:08 EsadCetiner

Okay, thanks for confirm the behavior.

By the way, I couldn't find an open issue related to this in this repo or the nginx one.

Then this is the one which describes the bug :).

Thanks.

airween avatar Aug 07 '24 07:08 airween