Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libModSecurity3: all triggered rule IDs sometimes won't be logged with anomaly scoring #3204

Open
EsadCetiner opened this issue Aug 2, 2024 · 3 comments
Open

libModSecurity3: all triggered rule IDs sometimes won't be logged with anomaly scoring #3204

EsadCetiner opened this issue Aug 2, 2024 · 3 comments
Assignees
@airween
Labels
3.x Related to ModSecurity version 3.x bug It is a confirmed bug

Comments

@EsadCetiner
Copy link

Describe the bug

ModSecurity sometimes doesn't fully log all of the rule IDs triggered within a request, this is annoying with false positives as you'll have to go through multiple tuning iterations just to resolve one false positive. This happens on both detection only mode and blocking mode. I haven't been able to find a reason behind what's causing this, but I do know how to trigger the issue.

Logs and dumps

N/A See below

To Reproduce

I have some test payloads in my SOGo plugin that have this issue, run them against CRS using go-ftw 0.6.4
https://coreruleset.org/docs/development/testing/
I'll be using this test as an example: https://github.com/EsadCetiner/sogo-rule-exclusions-plugin/blob/b224054707ca0d0e7b73c9af4b1ae265970baf98/tests/regression/sogo-rule-exclusions-plugin/9520130.yaml#L8

As an end user, I get a false positive like this:

---5DJqybFW---A--
[31/Jul/2024:16:30:10 +1000] 172240741056.351112 127.0.0.1 56232 127.0.0.1 8080
---5DJqybFW---B--
POST /SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Connection: close
Content-Length: 616
Content-Type: application/json;charset=UTF-8
Host: localhost
User-Agent: SOGo rule exclusions plugin

---5DJqybFW---C--
{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37:15.262Z", "$hasAlarm":false,"classification":"confidential","destinationCalendar":"personal","selected":false,"isNew":true, "id":"1BB-65E5EA80-1-7B69C580.ics","sendAppointmentNotifications":1,"attachUrls":[{"value":"https://example.com/"}], "summary":"test","due":"2024-03-04T15:30:26.610Z","dueDate":"2024-03-05","start":"2024-03-04T15:30:27.775Z","priority":4,"comment":"test", "location":"test","startDate":"2024-03-05","startTime":"02:30","endDate":"","endTime":"","dueTime":"02:30","completedDate":"2024-03-05"}

---5DJqybFW---D--

---5DJqybFW---E--
<html>\x0d\x0a<head><title>404 Not Found</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>404 Not Found</h1></center>\x0d\x0a<hr><center>nginx/1.18.0 (Ubuntu)</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---5DJqybFW---F--
HTTP/1.1 404
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 31 Jul 2024 06:30:10 GMT
Content-Length: 162
Content-Type: text/html
Connection: close

---5DJqybFW---H--
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `REQUEST_BODY' (Value: `{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37: (516 characters omitted)' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "REQUEST_BODY={\x22categories\x22:[],\x22alarm\x22:{},\x22delta\x22:60,\x22pid\x22:\x22personal\x22,\x22type\x22:\x22task\x22,\x22completed\x22:\x222024-03-04T15:37:15.262Z\x22, \x22$hasAlarm\x22:false,\x22classification\x22:\x22confidential\x22,\x22destinationCalendar\x22:\x22pers (429 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUnio0,1o1,1o12,1o14,1o15,1o17,1o23,1o25,1o26,1o28,1o34,1o39,1o43,1o45,1o54,1o56,1o61,1o63,1o68,1o70,1o80,1o82,1o107,1o109,1o110,1o111,1o120,1o128,1 (526 characters omitted)"]
ModSecurity: Warning. Matched "Operator `EndsWith' with parameter `.localhost' against variable `TX:rfi_parameter_ARGS:json.attachUrls.array_0.value' (Value: `.example.com' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf"] [line "116"] [id "931130"] [rev ""] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: https://example.com found within TX:rfi_parameter_ARGS:json.attachUrls.array_0.value: .example.com"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-rfi"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/175/253"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o0,19o8,11v30,20"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.completedDate' (Value: `2024-03-05' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -03- found within ARGS:json.completedDate: 2024-03-05"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUnio4,4o4,4v19,10t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `41' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 41)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref ""]

So then I create a rule exclusion thinking it'll fix the issue

SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Calendar/[^/]+/[^/]+\.ics/saveAsTask$" \
    "id:1,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=942432;ARGS:json.completedDate,\
    ctl:ruleRemoveTargetById=931130;ARGS:json.attachUrls.array_0.value,\
    ctl:ruleRemoveTargetById=920273;REQUEST_BODY"

Then later on I encounter the exact same false positive with the exact same payload:

---ibRMdl5Z---A--
[02/Aug/2024:13:12:32 +1000] 17225683525.862245 127.0.0.1 49264 127.0.0.1 8080
---ibRMdl5Z---B--
POST /SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Connection: close
Content-Length: 616
Content-Type: application/json;charset=UTF-8
Host: localhost
User-Agent: SOGo rule exclusions plugin

---ibRMdl5Z---C--
{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37:15.262Z", "$hasAlarm":false,"classification":"confidential","destinationCalendar":"personal","selected":false,"isNew":true, "id":"1BB-65E5EA80-1-7B69C580.ics","sendAppointmentNotifications":1,"attachUrls":[{"value":"https://example.com/"}], "summary":"test","due":"2024-03-04T15:30:26.610Z","dueDate":"2024-03-05","start":"2024-03-04T15:30:27.775Z","priority":4,"comment":"test", "location":"test","startDate":"2024-03-05","startTime":"02:30","endDate":"","endTime":"","dueTime":"02:30","completedDate":"2024-03-05"}

---ibRMdl5Z---D--

---ibRMdl5Z---E--
<html>\x0d\x0a<head><title>404 Not Found</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>404 Not Found</h1></center>\x0d\x0a<hr><center>nginx/1.18.0 (Ubuntu)</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---ibRMdl5Z---F--
HTTP/1.1 404
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 02 Aug 2024 03:12:32 GMT
Content-Length: 162
Content-Type: text/html
Connection: close

---ibRMdl5Z---H--
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `ARGS_NAMES:json.$hasAlarm' (Value: `json.$hasAlarm' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS_NAMES:json.$hasAlarm=json.$hasAlarm"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.id' (Value: `1BB-65E5EA80-1-7B69C580.ics' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -65E5EA80- found within ARGS:json.id: 1BB-65E5EA80-1-7B69C580.ics"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `28' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 28)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref ""]

---ibRMdl5Z---I--

Now I have to modify my previous rule exclusion to exclude the new rule IDs showing up

SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Calendar/[^/]+/[^/]+\.ics/saveAsTask$" \
    "id:1,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=920273;ARGS_NAMES:json.$hasAlarm,\
    ctl:ruleRemoveTargetById=942432;ARGS:json.completedDate,\
    ctl:ruleRemoveTargetById=942432;ARGS:json.id,\
    ctl:ruleRemoveTargetById=931130;ARGS:json.attachUrls.array_0.value,\
    ctl:ruleRemoveTargetById=920273;REQUEST_BODY"

But if you pay attention to the anomaly score, you'll see that there's a score of 28 but only 2 rules have been logged (both adding up to 8 points). I'll have to do a few more iterations before this false positive can be fully resolved.

Expected behavior

I should be able to see all of the rule IDs triggered the first time so I can fully resolve the false positive the first time. Something like this:

---ibRMdl5Z---A--
[02/Aug/2024:13:12:32 +1000] 17225683525.862245 127.0.0.1 49264 127.0.0.1 8080
---ibRMdl5Z---B--
POST /SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Connection: close
Content-Length: 616
Content-Type: application/json;charset=UTF-8
Host: localhost
User-Agent: SOGo rule exclusions plugin

---ibRMdl5Z---C--
{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37:15.262Z", "$hasAlarm":false,"classification":"confidential","destinationCalendar":"personal","selected":false,"isNew":true, "id":"1BB-65E5EA80-1-7B69C580.ics","sendAppointmentNotifications":1,"attachUrls":[{"value":"https://example.com/"}], "summary":"test","due":"2024-03-04T15:30:26.610Z","dueDate":"2024-03-05","start":"2024-03-04T15:30:27.775Z","priority":4,"comment":"test", "location":"test","startDate":"2024-03-05","startTime":"02:30","endDate":"","endTime":"","dueTime":"02:30","completedDate":"2024-03-05"}

---ibRMdl5Z---D--

---ibRMdl5Z---E--
<html>\x0d\x0a<head><title>404 Not Found</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>404 Not Found</h1></center>\x0d\x0a<hr><center>nginx/1.18.0 (Ubuntu)</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---ibRMdl5Z---F--
HTTP/1.1 404
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 02 Aug 2024 03:12:32 GMT
Content-Length: 162
Content-Type: text/html
Connection: close

---ibRMdl5Z---H--
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `REQUEST_BODY' (Value: `{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37: (516 characters omitted)' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "REQUEST_BODY={\x22categories\x22:[],\x22alarm\x22:{},\x22delta\x22:60,\x22pid\x22:\x22personal\x22,\x22type\x22:\x22task\x22,\x22completed\x22:\x222024-03-04T15:37:15.262Z\x22, \x22$hasAlarm\x22:false,\x22classification\x22:\x22confidential\x22,\x22destinationCalendar\x22:\x22pers (429 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUnio0,1o1,1o12,1o14,1o15,1o17,1o23,1o25,1o26,1o28,1o34,1o39,1o43,1o45,1o54,1o56,1o61,1o63,1o68,1o70,1o80,1o82,1o107,1o109,1o110,1o111,1o120,1o128,1 (526 characters omitted)"]
ModSecurity: Warning. Matched "Operator `EndsWith' with parameter `.localhost' against variable `TX:rfi_parameter_ARGS:json.attachUrls.array_0.value' (Value: `.example.com' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf"] [line "116"] [id "931130"] [rev ""] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: https://example.com found within TX:rfi_parameter_ARGS:json.attachUrls.array_0.value: .example.com"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-rfi"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/175/253"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o0,19o8,11v30,20"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.completedDate' (Value: `2024-03-05' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -03- found within ARGS:json.completedDate: 2024-03-05"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUnio4,4o4,4v19,10t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `ARGS_NAMES:json.$hasAlarm' (Value: `json.$hasAlarm' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS_NAMES:json.$hasAlarm=json.$hasAlarm"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.id' (Value: `1BB-65E5EA80-1-7B69C580.ics' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -65E5EA80- found within ARGS:json.id: 1BB-65E5EA80-1-7B69C580.ics"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `ARGS:json.attachUrls.array_0.value' (Value: `https://example.com/' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS:json.attachUrls.array_0.value=https://example.com/"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172256882058.056791"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.completed' (Value: `2024-03-04T15:37:15.262Z' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -03- found within ARGS:json.completed: 2024-03-04T15:37:15.262Z"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172256882058.056791"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `28' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 28)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "127.0.0.1"] [uri "/SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref ""]

---ibRMdl5Z---I--

Server:

  • ModSecurity version: ModSecurity v3.0.12 with nginx-connector v1.0.3
  • WebServer: Nginx 1.18.0
  • OS (and distro): Ubuntu 22.04

Rule Set: CRSv4.5.0

Additional context

N/A
@EsadCetiner EsadCetiner added the 3.x Related to ModSecurity version 3.x label Aug 2, 2024
@airween
Copy link
Member

airween commented Aug 6, 2024

Hi @EsadCetiner,

thanks for this detailed report.

First of all, let me ask you: lines in H section under expected behavior part have different unique_id. There are 3 or 4 different id, but - as I know - in a transaction the unique id's must be the same.

Is this just a typo?

Btw there is known bug in libmodsecurity3: if a rule matches with multiple targets, then only one target will be logged. But the TX anomaly score is incremented "normally". May be you ran into this problem?

@EsadCetiner
Copy link
Author

@EsadCetiner

First of all, let me ask you: lines in H section under expected behavior part have different unique_id. There are 3 or 4 different id, but - as I know - in a transaction the unique id's must be the same.

Is this just a typo?

Yes, I was just showing how I approximately wanted the log output to look like.

Btw there is known bug in libmodsecurity3: if a rule matches with multiple targets, then only one target will be logged. But the TX anomaly score is incremented "normally". May be you ran into this problem?

Yeah I think that's the issue I'm encountering. Only 3 rules are being triggered in the example payload I used, 942432, 931130, and 920273 (I didn't notice this before). By the way, I couldn't find an open issue related to this in this repo or the nginx one.

@airween
Copy link
Member

airween commented Aug 7, 2024

Okay, thanks for confirm the behavior.

By the way, I couldn't find an open issue related to this in this repo or the nginx one.

Then this is the one which describes the bug :).

Thanks.

@airween airween self-assigned this Aug 7, 2024
@airween airween added the bug It is a confirmed bug label Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@airween airween

Labels
3.x Related to ModSecurity version 3.x bug It is a confirmed bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@airween @EsadCetiner