Issue originally created by user d-schramm on date 2013-04-11 13:51:39.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#26.

I get bogus error messages in DetectionOnly with mod_security2 v2.7.0 and CRS version 2.2.7:

[Thu Apr 11 11:52:29 2013] [error] [client 10.0.0.1] ModSecurity: Warning. Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. 
[file "/usr/local/httpd_v22_32bit/conf/modsecurity2/activated_rules/30_modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [rev "2"] 
[msg "Request content type is not allowed by policy"] 
[data "text/xml"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [hostname "host.example.net"] 
[uri "/url/1"] [unique_id "UWaH3QoSEDoAAH-QRHoAAAAP"]

[Thu Apr 11 11:47:35 2013] [error] [client 10.0.0.2] ModSecurity: Warning. Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. 
[file "/usr/local/httpd_v22_32bit/conf/modsecurity2/activated_rules/30_modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [rev "2"] 
[msg "Request content type is not allowed by policy"] 
[data "application/x-www-form-urlencoded"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [hostname "host.example.net"] 
[uri "/url/2"] [unique_id "UWaGtwoSEDoAAH8MAXMAAAAA"]

I think the regular expression captures the whitespace around the Content-type header value, and the whole string is compared to the allowed request content types. The comparison fails. The following patch fixes the error messages:

base_rules/modsecurity_crs_30_http_policy.conf
66c67
<       SecRule TX:0 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

---
>       SecRule TX:1 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

I am not aware of any restriction on initial whitespace in header values, though a quick RFC search yielded nothing to prove my point.

Issue originally created by user flyingstar16 on date 2013-04-30 14:53:55.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#28.

Really minor issue in modsecurity_crs_10_setup.conf.example

# You should use the modsecurity.conf-recommended file that comes with the
# ModSecurity source code archive.
#
# Ref: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/modsecurity.conf-recommended
#

The ref is outdated; the correct one should be

https://raw.github.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended

Thanks for the great work!

Issue for tracking original pull request created by user sebastianw on date 2013-06-04 20:51:10.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#40.

HEAD is: a78a0aa5edf096ef7c3be6bd41a9c25bee919298
BASE is: cee50a9
The tx.allowed_methods macro is needed in phase 1 but the config file
only sets it in phase 2 (request). This always triggers rule 960032 in
base_rules/modsecurity_crs_30_http_policy.conf.

Issue for tracking original pull request created by user jwbrown77 on date 2013-05-06 16:41:03.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#31.

HEAD is: fab2f0c
BASE is: d4f9c5a
Hi Ryan,

I found last year that the outbound credit card checks weren't functioning properly because the top rule in the chain wasn't capturing output. I've had custom rules that fixed this for a while, but figured they should make their way into the official repository.

Thanks

Issue originally created by user OrySegal on date 2013-05-23 11:35:08.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#35.

The following section of the regular expression:

(?:["'´’‘]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'´’‘]?\s?\w+\W+\w)

Will match on the following values:

• "|name=value"
• "-1<2"
• '-a-b-c'

And so forth.

I'm nor certain what this specific section is trying to achieve, so I can't offer a fix.

Issue originally created by user remotehelp on date 2013-02-06 04:18:32.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#13.

if "Include modsecurity.d/slr_rules/*.conf" (mod_security-2.7.2, mod_security_crs-2.2.6) get result:

sh-4.1# httpd -t
Syntax error on line 17 of /etc/httpd/modsecurity.d/slr_rules/modsecurity_crs_46
_slr_et_joomla_attacks.conf:
ModSecurity: No action id present within the rule

How to enable slr_rules?;(

Issue originally created by user remotehelp on date 2013-02-05 02:57:03.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#12.

If get some pages in joomla 1.5 CMS on remoteshaman.com site mod_security false alarm as test mode "SecRuleEngine DetectionOnly":

--82e83c6c-A--
[05/Feb/2013:06:39:06 +0400] URBwyl2qgHIAADehGLYAAAAA 109.95.47.222 41573 127.0.
0.1 81
--82e83c6c-B--
GET /index.php?option=com_content&view=article&id=139:bezvozvratnoe-udaleniezati
ranieunichtozhenie-fajlovkatalogov-dannyxinformaczii-iz-konsoli&catid=1:defence&
Itemid=65 HTTP/1.0
Host: remoteshaman.com
X-Real-IP: 109.95.47.222
Connection: close
User-Agent: Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.10.229 Version/11.64
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, imag
e/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://remoteshaman.com/
Cookie: c95b573d4ece60267eebe4909c7dcf18=52+B+3+E4A11+95B5B11444A+04259585857415
F15595551+F11+7+65A5A+C5B4045435545+D41415A40+B+15F124758464114+B14+7465946+9575
1+D112D686B7B77611C5B+0531446431B5E4D; jc_homepage=; 1fd4e15a49b554fa07c1f5692db
f224e=1; currentURI=http%3A%2F%2Fremoteshaman.com%2Findex.php%3Foption%3Dcom_com
munity%26view%3Dvideos%26Itemid%3D59; 102d16838e890126ac58488e19aaad2d=h6bt6hg3u
td65k30n25u37i1k1; activeProfile=64; b=b
Cache-Control: no-cache

--82e83c6c-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.21
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Tue, 05 Feb 2013 02:39:06 GMT
Connection: close
Content-Type: text/html; charset=utf-8

--82e83c6c-H--
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql
_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted
SQL Character Anomaly Detection Alert - Total # of special characters exceeded"]
 [data "Matched Data: - found within ARGS:id: 139:bezvozvratnoe-udaleniezatirani
eunichtozhenie-fajlovkatalogov-dannyxinformaczii-iz-konsoli"] [ver "OWASP_CRS/2.
2.6"] [maturity "9"] [accuracy "8"] Warning. Pattern match "([\\~\\!\\@\\#\\$\\%
\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2
\x80\x98\\`\\<\\>].*?){4,}" at ARGS:id.
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_cor
relation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inb
ound Score: 3, SQLi=1, XSS=): Restricted SQL Character Anomaly Detection Alert -
 Total # of special characters exceeded"] Warning. Operator LT matched 5 at TX:i
nbound_anomaly_score.
Apache-Handler: fcgid-script
Stopwatch: 1360031946334718 414785 (- - -)
Stopwatch2: 1360031946334718 414785; combined=13942, p1=666, p2=13121, p3=0, p4=
0, p5=155, sr=92, sw=0, l=0, gc=0
WAF: ModSecurity for Apache/2.7.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.6
.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--82e83c6c-Z--

--36a9ea69-A--
[05/Feb/2013:06:39:12 +0400] URBw0F2qgHIAADejHWgAAAAC 66.249.75.136 57737 93.170
.128.114 443
--36a9ea69-B--
GET /pt/index.php?option=com_content&view=article&id=129%3Aobnaruzhen-novyj-gene
rator-virusov-diy&Itemid=118 HTTP/1.1
Host: remotehelp.pp.ua
Connection: Keep-alive
Accept: */*
From: googlebot(at)googlebot.com
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.h
tml)
Accept-Encoding: gzip,deflate

--36a9ea69-F--
HTTP/1.1 301 Moved Permanently
Location: http://remoteshaman.com/pt/index.php?option=com_content&view=article&i
d=129%253Aobnaruzhen-novyj-generator-virusov-diy&Itemid=118
Content-Length: 416
Connection: close
Content-Type: text/html; charset=iso-8859-1

--36a9ea69-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://remoteshaman.com/pt/index.php?option=c
om_content&amp;view=article&amp;id=129%253Aobnaruzhen-novyj-generator-virusov-di
y&amp;Itemid=118">here</a>.</p>
<hr>
<address>Apache Server at remotehelp.pp.ua Port 443</address>
</body></html>

--36a9ea69-H--
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql
_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted
SQL Character Anomaly Detection Alert - Total # of special characters exceeded"]
 [data "Matched Data: - found within ARGS:id: 129:obnaruzhen-novyj-generator-vir
usov-diy"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] Warning. Patter
n match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\
\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS:id.
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_cor
relation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inb
ound Score: 3, SQLi=1, XSS=): Restricted SQL Character Anomaly Detection Alert -
 Total # of special characters exceeded"] Warning. Operator LT matched 5 at TX:i
nbound_anomaly_score.
Stopwatch: 1360031952686859 35016 (- - -)
Stopwatch2: 1360031952686859 35016; combined=3711, p1=185, p2=3149, p3=0, p4=314
, p5=63, sr=74, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
WAF: ModSecurity for Apache/2.7.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.6
.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--36a9ea69-Z--

--6825be5e-A--
[05/Feb/2013:06:39:13 +0400] URBw0V2qgHIAADeiG**gAAAAB** 66.249.78.24 41653 127.0.0
.1 81
--6825be5e-B--
GET /pt/index.php?option=com_content&view=article&id=129%253Aobnaruzhen-novyj-ge
nerator-virusov-diy&Itemid=118 HTTP/1.0
Host: remoteshaman.com
X-Real-IP: 66.249.78.24
Connection: close
Accept: */*
From: googlebot(at)googlebot.com
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.h
tml)
Accept-Encoding: gzip,deflate

--6825be5e-F--
HTTP/1.1 404 Not Found
Content-Length: 276
Connection: close
Content-Type: text/html; charset=iso-8859-1

--6825be5e-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pt/index.php was not found on this server.</p>
<hr>
<address>Apache Server at remoteshaman.com Port 80</address>
</body></html>

--6825be5e-H--
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_pro
tocol_violations.conf"] [line "464"] [id "950109"] [rev "2"] [msg "Multiple URL
Encoding Detected"] [severity "WARNING"] [ver "OWASP_CRS/2.2.6"] [maturity "6"]
[accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] Warning. Pattern mat
ch "\\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:id.
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql
_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted
SQL Character Anomaly Detection Alert - Total # of special characters exceeded"]
 [data "Matched Data: - found within ARGS:id: 129:obnaruzhen-novyj-generator-vir
usov-diy"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] Warning. Patter
n match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\
\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS:id.
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_cor
relation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (
Total Inbound Score: 6, SQLi=1, XSS=): Restricted SQL Character Anomaly Detectio
n Alert - Total # of special characters exceeded"] Warning. Operator GE matched
5 at TX:inbound_anomaly_score.
Apache-Error: [file "/builddir/build/BUILD/httpd-2.2.23/server/core.c"] [line 37
08] [level 3] File does not exist: /var/www/wrs/public_html/pt
Stopwatch: 1360031953049913 8777 (- - -)
Stopwatch2: 1360031953049913 8777; combined=7021, p1=95, p2=6668, p3=0, p4=200,
p5=58, sr=28, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
WAF: ModSecurity for Apache/2.7.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.6
.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--6825be5e-Z--

almost all requests to the site pages mod_setsurity mistaken as an attack;((

where is ([data "Matched Data: ;id found within ARGS_NAMES:amp;id: amp;id"]) the "System Command Injection"?;(

--ad06f25a-A--
[06/Feb/2013:14:33:32 +0400] URIxfF2qgHIAAGEldGQAAAAB 195.66.197.148 40963 127.0
.0.1 81
--ad06f25a-B--
GET /index.php?option=com_content&view=article&id=67%3Austanovka-pear-na
-php-54-pod-windows&Itemid=66 HTTP/1.0
Host: remotehelp.pp.ua
X-Real-IP: 195.68.197.148
Connection: close
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:18.0) Gecko/20100101 Firefo
x/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

--ad06f25a-F--
HTTP/1.1 403 Forbidden
Content-Length: 277
Connection: close
Content-Type: text/html; charset=iso-8859-1

--ad06f25a-E--

--ad06f25a-H--
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_40_gen
eric_attacks.conf"] [line "209"] [id "950006"] [rev "2"] [msg "System Command In
jection"] [data "Matched Data: ;id found within ARGS_NAMES:amp;id: amp;id"] [sev
erity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "OW
ASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10
/A1"] [tag "PCI/6.5.2"] Access denied with code 403 (phase 2). Pattern match "(?
:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:ou
te|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+
)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\/]|\\W*?\\.\\.)|hmod
.{0,40}?\\ ..." at ARGS_NAMES:amp;id.
Action: Intercepted (phase 2)
Apache-Handler: php5-fcgi
Stopwatch: 1360146812114807 1305 (- - -)
Stopwatch2: 1360146812114807 1305; combined=600, p1=186, p2=396, p3=0, p4=0, p5=
18, sr=56, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
WAF: ModSecurity for Apache/2.7.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.6
.
Server: Apache
Engine-Mode: "ENABLED"

--ad06f25a-Z--

Issue originally created by user kandyjet on date 2013-05-29 05:14:56.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#37.

i am using the latest set of owasp crs.

an sql injection test on a website in our server has the following result.

Test1 :
a' union sElEcT 1,2,table_nAme fRom informAtion_schemA.tAbles WhErE tablE_scHemA=dAtabase()-- -

Result : Error 406 issued successfully

Test2 :
a'///!unIoN////!SelEct///1,/!table_name/,database()//from//information_schema.tables//WheRe/**/tablE_SchEma=daTabase()--+-

Result :
Successfully bypassed the security.

Issue for tracking original pull request created by user sebastianw on date 2013-06-04 20:42:44.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#39.

HEAD is: f4e1653c8f6aad00ce92d312ebd104eae8f5c9e9
BASE is: cee50a9
Fixed a trailing whitespace in base_rules/10-REQUEST-IP-REPUTATION.conf

Issue originally created by user sathieu on date 2012-11-13 13:51:57.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#9.

Hi,

Some new commit use actions "ver", "maturity" and "accuracy". Those are not available in mod_security 2.6.

Mod_security 2.7 is very new (October 16, 2012) and depending on it will break installations using distribution packages or others.

At least, provide a "2.6" branch to include important fixes like "92c65eba3dc7".

Issue originally created by user failshell on date 2013-07-12 17:50:08.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#49.

It would be nice if rules followed a stricter logic. It makes it harder (although not impossible) to automate the deployments of the CRS rules (im guessing the commercial rules have the same issue).

For example, the optional rule modsecurity_crs_42_comment_spam.conf has a data file named modsecurity_42_comment_spam.data. Forcing me to gsub the file name to remove _crs.

It would be more elegant, and easier to configure using a CM tool like Chef/Puppet if rules file name matched their data file name.

Issue for tracking original pull request created by user 4ft35t on date 2013-06-13 09:05:14.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#44.

HEAD is: 38cabca
BASE is: 33612c6
fix the regex error of rule id:'970013' in modsecurity_crs_50_outbound.conf

Issue originally created by user theguly on date 2013-02-28 17:35:10.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#18.

git cloned at ~16.00utc

Syntax error on line 26 of /etc/modsecurity/crs/modsecurity_crs_49_header_tagging.conf:
ModSecurity: Found another rule with the same id

rules with id 981173 appears on modsecurity_crs_41_sql_injection_attacks.conf and modsecurity_crs_49_header_tagging.conf

Issue for tracking original pull request created by user FireFart on date 2012-11-01 08:31:05.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#7.

HEAD is: 3ec8cda
BASE is: aa2ff61

• Now all calls to DBMS_ Packages are detected. Before there were only 2 specific DBMS Packages, but there are many more
• Calls to utl_inaddr are now detected. This one is for DNS based attacks: http://docs.oracle.com/cd/B19306_01/appdev.102/b14258/u_inaddr.htm
• Calls to SYS_CONTEXT are now detected. This is a function for determing some database/session variables: http://docs.oracle.com/cd/B19306_01/server.102/b14200/functions165.htm

Issue for tracking original pull request created by user MichaelHaas on date 2013-04-11 20:53:27.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#27.

HEAD is: b054a4d
BASE is: 19e0307
Error messages misleading with TX.0 in it when it should be TX:00000-..
for example
Expanded "TX:/^\d/" to "TX:0|TX:981245-Detects basic SQL authentication bypass attempts 2/3-OWASP_CRS/WEB_ATTACK/SQLI-ARGS:TESTARGS"
Then TX:0 matches. If you want this information for further processing it is not useful to get TX:0 because it has no information which rule matched.

Issue for tracking original pull request created by user claudijd on date 2012-09-19 16:10:16.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#1.

HEAD is: 657f6e8
BASE is: 859905d

• Adds a regression test for detecting basic SQL
  authentication bypass attempts 1/3 (981244)

Issue for tracking original pull request created by user dune73 on date 2013-07-22 07:55:16.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#50.

HEAD is: 925b0773534897eafde72231898dd218541e8a1b
BASE is: 0f07cbb

Issue originally created by user Shuro on date 2013-06-04 08:30:00.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#38.

My apache error_log got many modsecurity-crs-logs, even with
SecDefaultAction "phase:1,pass,nolog,auditlog"
in my modsecurity_crs_10_setup.conf .

Seems like there are hard "log" parts in
base_rules/modsecurity_crs_60_correlation.conf

Issue for tracking original pull request created by user gwroblew on date 2013-03-15 06:25:20.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#23.

HEAD is: 99e69db
BASE is: 40b2c75
These rules were tested and are divided into two groups: volatile and non-volatile ones. The volatile ones generate more false positives, while non-volatile ones are very robust.

Issue originally created by user kandyjet on date 2013-06-18 07:18:38.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#45.

Hello,

We have installed the OWASP rule set. But the rule fails to block the following sql

' or 'a'='a'-- -

What could be wrong?

Issue originally created by user OrySegal on date 2013-05-23 10:59:00.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#34.

Here is the regression test:

%test Invalid HTTP Request Line (960911) - Test 2

%remark
This test uses backslashes instead of forward slashes.
%endremark
%status 400|403
%request
GET \index.html HTTP\1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive

When sniffing the traffic over the wire, you will notice that the \index.html is being sent as simply "index.html" (backslash disappears), and the HTTP protocol version is sent as HTTP[\x01].0 - (\1 is sent as \x01 ASCII).

My guess is that the test needs some escaping for the backslash characters.

I ran a quick search on other tests, and none of them has a similar problem.

Issue for tracking original pull request created by user MichaelHaas on date 2013-03-15 21:58:48.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#24.

HEAD is: 257c93568f094667fb89ca4e59d7181ca7bde59c
BASE is: 19e0307
no need to change/rearrange the rule ids, it only makes it complicated to migrate exceptions.
new rule 973334 changed to 973344 since it was used in 2.2.6

Issue originally created by user OrySegal on date 2013-05-19 18:57:34.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#33.

It seems like rule 950901, is matching on some cookies that contain a substring which looks like a tautology. For example:

Cookie: LoginCookie=wh=www.some.site ab=/path/login?param1=value1&param2=value2&callback=jsonp1368230255523&_=1368230255732 cd=1 rh=http://www.some.site ru=%2Fpath%2Fpath2%2Flogin

Notice the "h=h" substring in the cookie value, which triggers.

I think it would make more sense to add \b around the tautology regex, or at least require one or more whitespaces around it

Issue for tracking original pull request created by user dune73 on date 2013-05-07 11:51:38.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#32.

HEAD is: 2dfc926
BASE is: d4f9c5a
Properly initialized the following variables as 0
so that they do not end up as "-" when used in a
logfile:
tx.anomaly_score
tx.sql_injection_score
tx.xss_score
tx.inbound_anomaly_score
tx.outbound_anomaly_score

Set these in rule 900002. Moved initialization of
tx.inbound_anomaly_score_level to the rule 900003, to that
900002 would be freed.

Issue for tracking original pull request created by user koto on date 2012-11-30 19:38:06.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#10.

HEAD is: 805d316
BASE is: 7b4ad7f
Used Object.defineProperty(,,{configurable: false})) to prevent proxy objects from being simply deleted. It's just a start.

Issue originally created by user rcbarnett-zz on date 2012-10-31 01:08:17.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#6.

We are aware of download errors when attempting to download the ZIP/TAR files. The problem is associated with the nodeload.github.com domain. We have opened a ticket with GH Support.

In the interim, you can use -

$ git close master

Issue originally created by user MichaelHaas on date 2013-03-09 16:43:17.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#21.

Rules 981243, 981318 and 981173

The following characters are creating false positives ´’‘ .
I think the best way would be to remove the characters from the rule and add the t:utf8toUnicode,t:urlDecodeUni transformations.
If the removed charcters are needed then they should be moved to another rule so these three rules don't need to be excluded because of false positives.

Michael

Issue for tracking original pull request created by user benwilliams on date 2012-11-12 00:36:49.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#8.

HEAD is: 36e19a1
BASE is: aa2ff61
Some cookies did not match in RESPONSE_HEADERS:/Set-Cookie2?/ but did match in REQUEST_COOKIES. ie ASPSESSIONIDXXX.

Also there was a bug related to comparisons on collection keys that do
not exist. When a request contains a cookie that has not been saved to
the SESSION collection before, the intention is for tx.anomaly_score
to be incremented by 5 (critical) and the rest of the checks skipped,
but this does not happen. Any test on a collection key that does not
exist always returns false. This means the test on SESSION:VALID "!@eq
1" returns false, when the intention is for it to return true if the
session cookie has not been seen before. And the following rules in
the block are run which triggers 981059,981060,981061 to return true
since it is a new session collection withou ip_hash or ua_hash keys.

Issue originally created by user kandyjet on date 2013-06-21 12:38:52.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#47.

Hello,

i made the following sql statements on a text box in a website that kept for searching drivers and returns results in an ajax response. All of the below 3 statements we denied with a 406 not acceptable. but if i tested the blow on a login form with POST Method, the form successfully loges in. what could be the problem?

Test1 :

a' union sElEcT 1,2,table_nAme fRom informAtion_schemA.tAbles WhErE tablE_scHemA=dAtabase()-- -

Test2 :

a'///!unIoN////!SelEct///1,/!table_name/,database()//from//information_schema.tables//WheRe/**/tablE_SchEma=daTabase()--+-

Test3 :

' or 'a'='a'-- -

Issue for tracking original pull request created by user zouguangxian on date 2013-05-04 15:43:19.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#30.

HEAD is: 0c0fe91
BASE is: d4f9c5a

# service apache2 restart
Syntax error on line 121 of /etc/modsecurity/enabled_rules/modsecurity_crs_55_application_defects.conf:
Error parsing actions: Unknown action: '
Action 'configtest' failed.
The Apache error log may have more information.
   ...fail!

Issue originally created by user OrySegal on date 2013-05-23 11:48:08.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#36.

The following section of the regular expression:

(?:["'´’‘]\s*?(x?or|div|like|between|and)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'´’‘])

Will generate false positives on strings such as:

• "orca-1"
• 'ornament=1'
  *"divider-1"

In general, JSON objects would have a high chance of containing such strings, for example:

{"name":"divider-1"}

Issue for tracking original pull request created by user rcbarnett-zz on date 2013-06-05 12:47:36.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#42.

HEAD is: 5e35b7e
BASE is: 75dbef2

Issue originally created by user yabdab on date 2013-04-30 19:54:45.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#29.

I am using the latest mod_security with base rules. I have discovered that all files handled by mod_pagespeed ( js, css, images, etc.. ) are missing the "Accept Header", thus triggering the block and virtually throwing 403 errors for every page serve from my Linux instance. Furthermore, some of the compression to javascripts are creating strings that make MS think it is a sql injection.

Is there a way to adjust rule(s) so that pagespeed files are ignored when scoring?

Issue originally created by user sathieu on date 2012-10-04 14:24:11.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#5.

Hi,

The file base_rules/modsecurity_crs_41_sql_injection_attacks.conf has bot tags WEB_ATTACK/SQLI and WEB_ATTACK/SQL_INJECTION.

This is inconsistent.

Issue originally created by user theguly on date 2013-02-28 17:32:28.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#17.

git clone some minutes ago:
Syntax error on line 35 of /etc/modsecurity/crs/modsecurity_crs_10_ignore_static.conf:
ModSecurity: No action id present within the rule

Issue for tracking original pull request created by user rcbarnett-zz on date 2013-06-05 12:21:46.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#41.

HEAD is: cee50a9
BASE is: 3c9cc81

Issue originally created by user BlaSTiWi on date 2013-02-11 15:44:01.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#15.

Using latest commit (#6607644166) produced:

Apache# httpd -t
Syntax error on line 38 of /[...my path...]/activated_rules/modsecurity_crs_42_comment_spam.conf:
ModSecurity: No action id present within the rule

Issue originally created by user xformerfhs on date 2013-02-18 11:53:25.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#16.

The "bad robots" rule (id 990012) contains a line that blocks all traffic with an user agent containing the string "Windows XP 5". However, each and every Java applet that runs on a Windows XP machine has a user agent string that looks like this: "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_13".

That means that this rule kicks out everyone connecting with a Java applet from a Windows XP machine. This is surely not the correct behaviour, so the rule should be fixed to either not block user agent string that contain "Windows XP" or, that it only blocks traffic where the user agent string contains exactly "Windows XP 5". I.e. not with a "." following it.

Issue originally created by user OrySegal on date 2013-06-18 09:50:10.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#46.

Hi,

There is a set of rules in 2.2.6 (mostly SQL Injection) that constantly generate false positives on complex cookie values (e.g. JSON structures).

If it was one or two rules, I would say it's fine, but when it's 6 or more rules that constantly trigger on these cookies, I think we have a problem - this can't be fixed with a threshold setting.

In addition, I think that these rules are really not doing their task well - I don't think that the triggers you will see below are supposed to trigger.

Here is the cookie:

MyCookie={"v":1,"rid":"1371546489873_699561","to":5,"c":"http://www.some.site/page.aspx?a=5","pv":2,"lc":{"d0":{"v":2,"s":true}},"cd":0,"sd":0,"f":1371546904751}

Rules triggered:

• 973333 - matching string is:
  • ","to":5,"c":"http://www.some.site/page.aspx?a=
• 981172 - matching strings are:
  • {"v":1,"rid":"
  • ://www.some.site/page.aspx?a=5","pv":2,"lc":{"
  • }},"cd":0,"sd":
  • ","to":5,"c":"
  • ":{"v":2,"s":
• 981243 - matching strings are:
  • ":1,"
  • ":"137
  • ":5,"
  • ":2,"
  • ":{"
  • ":{"
  • ":2,"
  • ":0,"
  • ":0,"
  • ":13
• 981245 - matching strings are:
  • ":1,"r
  • ":"1371546489873_699561","t
  • ":5,"c
  • ":"http://w
  • ":2,"l
  • ":{"d0":{"v
  • ":2,"s
  • ":true}},"c
  • ":0,"s
  • ":0,"f
• 981246 - matching string is:
  • "rid":"
• 981257 - matching strings are:
  • ,"rid
  • ,"to":5,"c":
  • ,"pv":2,"lc":{
  • ,"s":true}},"cd":0,
  • ,"f":1371546904751}

Issue originally created by user kcmurphy on date 2013-03-13 15:23:03.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#22.

We are using Apache 2.2.24 32bit (provided by apachelounge.org) running on a Windows 2008 R2 server 64bit. We have been able to successfully run security2_module and the modsecurity_crs_10_setup.conf.example. Where we seem to be running into trouble is with loading of the individual rules. Per the readme.txt instructions, we attempted to add this code into our configuration files:

$ pwd
/apache2/conf/crs
$ ls
CHANGELOG app_sensor modsecurity_crs_10_config.conf slr_rules
....... ect.

We receive these errors in our Windows Application logs during start-up (which fails):

The Apache service named reported the following error:
Invalid command '$', perhaps misspelled or defined by a module not included in the server configuration .

The Apache service named reported the following error:
Syntax error on line 6 of C:/Apache2.2.24/conf/crs/activated_rules/modsecurity_crs_10_activated_rules.conf:

We are obviously missing something but can't figure out what. Any assistance would be greatly appreciated.

Also, we are running our Apache in ReverseProxy mode. Is there anything special we need to do to make certain that the rules are pointing in the right directions?

Thanks, Kevin

Issue for tracking original pull request created by user yersinia on date 2013-02-01 13:09:42.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#11.

HEAD is: 04f6ce7
BASE is: c9df736
...ure for dummy connection

When the apache HTTP Server manages its child processes, it sends a simple HTTP request back to itself.
This request will appear in the access_log file with the remote address set to the loop-back interface
and if you log the User-Agent string you will see the server signature followed by "(internal dummy connection)"
on non-SSL servers. modsecurity_crs_47_common_exceptions already contain a chained rule for skipping
the apache internal dummy connection if the connection is from the lookback address.

But if the administrator has set the directive SecServerSignature
to one of the ./modsecurity_35_bad_robots.data, for example chinaclaw, the skip rule for the internal dummy connection is not used,
because in that case the User-Agent is defined by the valued of the SecServerSignature, and
not contain the value Apache: in this case the rule 990012 will fire wrongly.
Therefore, because the skip rule it is applied already to connection from 127.0.0.1,
so it is sufficently safe, don't cause any problem to eliminate the "Apache" control also on the User-Agent variables.
It is very similar to a standard iptables setup in which it is common to put a catchall ACCEPT rule
on the loopback interface.

Issue for tracking original pull request created by user claudijd on date 2012-09-26 02:34:14.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#3.

HEAD is: 0916043
BASE is: 4c59042
This will cause vim .swp and .swo files from accidentally being
committed. Like seen here:

SpiderLabs/owasp-modsecurity-crs@1cedc60

Issue originally created by user renroy on date 2012-10-03 20:18:50.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#4.

Enabling CRSF protection (modsecurity_crs_43_crsf_protection.conf and modsecurity_crs_16_session_hijacking.conf) seems to break Oracle Access Manager login. Testing shows that modsecurity CRS for CRSF protection appends JavaScript to the end of the page, however, it's after the closing html tag and therefore is not rendered correctly. Additionally, if CRSF is left enabled, then login into the OAM protected resource is impaired.

Issue for tracking original pull request created by user zito on date 2013-06-25 12:14:13.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#48.

HEAD is: 6a87ace
BASE is: 33612c6
Fixes false positive on fooX=Xbar and similar.

Issue originally created by user remotehelp on date 2013-02-06 10:38:25.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#14.

If send article about programming aka POST in text argument, then the contents in text ARG matched rules in modsecurity_crs_40_generic_attacks.conf and modsecurity_crs_41_sql_injection_attacks.conf, ID 950010 950018 950910 950911 950005 950901 981317 ("LDAP Injection Attack", "Execution error - PCRE limits exceeded (-8): (null)", "HTTP Response Splitting Attack", "Remote File Access Attempt", "SQL Injection Attack: SQL Tautology Detected.", SQL SELECT Statement Anomaly Detection Alert) - and other many-many rules!;(

How to exclude from specific ARG like exclude ID aka SecRuleRemoveById?

Issue originally created by user twforeman on date 2013-03-06 20:46:29.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#19.

Line 106-107:

SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,block,msg:'Invalid request',id:'960913',severity:'4'"
SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.leakage_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"

When I try to start apache I get:

ModSecurity: Disruptive actions cannot be specified in the logging phase.

Unfortunately removing the block action doesn't work either. I'm pretty new to mod_security, I'm not sure what else is disruptive in that line.

Additionally the comment above this line states that mod_unique_id needs to be patched for this to work, but the gmane post is from 2009. Does this still need patching?

Issue for tracking original pull request created by user 4ft35t on date 2012-09-21 05:48:19.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#2.

HEAD is: 14cdecf
BASE is: 188b920
The '[' and ']' was not escaped, so the regex is wrong.

Issue for tracking original pull request created by user MichaelHaas on date 2013-03-15 22:41:26.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#25.

HEAD is: aec909a
BASE is: 19e0307
no need to change/rearrange the rule ids, it only makes it complicated to migrate exceptions.
new rules changed to id's 973344-48 since the other id's were used in 2.2.6

Issue for tracking original pull request created by user sathieu on date 2013-06-07 15:49:57.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#43.

HEAD is: 424d504
BASE is: 33612c6
See SpiderLabs/owasp-modsecurity-crs#9

Issue originally created by user twforeman on date 2013-03-08 16:24:43.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#20.

As I was working on parsing out the regex in line 220 (command injection) I came across this character class "[/]".

The regex checker I was using declares that this is an error.

I believe that it needs to be "[\/]" to include both "/" and "".