Fabio B. Fabio B. - 3 months ago 17
Apache Configuration Question

mod_security rule 981203 false positive

I just installed mod_security on my Apache2 web server.

I activated all of the

base_rules/
from OWASP CRS.

I found a false positive by looking inside of
/var/log/apache2/modsec_audit.log
.

The target URL is:


/mobile//index.cfm?gclid=Cj0KEQjw_qW9BRCcv-Xc5Jn-26gBEiQAM-iJhcydtemGoKm4rCJ7gbEgz5qL-MXF0tMh5BkaxVPZPYwaAvhW8P8HAQ


The error log is:


Message: Warning. Pattern match
"([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\\xc2\xb4\\xe2\x80\x99\\xe2\x80\x98\`\<\>].*?){4,}"
at ARGS:gclid. [file
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character
Anomaly Detection Alert - Total # of special characters exceeded"]
[data "Matched Data: - found within ARGS:gclid:
Cj0KEQjw_qW9BRCcv-Xc5Jn-26gBEiQAM-iJhcydtemGoKm4rCJ7gbEgz5qL-MXF0tMh5BkaxVPZPYwaAvhW8P8HAQ"]
[ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] Message: Warning. Operator LT
matched 5 at TX:inbound_anomaly_score. [file
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_60_correlation.conf"]
[line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound
Score: 3, SQLi=1, XSS=0): Restricted SQL Character Anomaly Detection
Alert - Total # of special characters exceeded"]


The message is self-explaining but... that is not a malicious URL, for my website.

How can I 'whitelist' this kind of URLs (e.g. containing gclid parameter) instead of completely disabling rule 981203?

Answer

You could add this config after you've defined the other rules:

SecRuleUpdateTargetById 981203 !ARGS:'gclid'

However I see a lot of false positives with this rule so often turn it off completely. The OWASP CRS is prone to over alerting and requires a lot of tuning.

See this post for other suggested common rule tweaks: Modsecurity: Excessive false positives

Comments