Rule: 942190: False positive 0202

[Shajinraj]

Description

[-:error] ModSecurity: Warning. Pattern match "(?i:(?:[\"'](?:;?\\\\s*?(?:having|select|union)\\\\b\\\\s*?[^\\\\s]|\\\\s*?!\\\\s*?[\\"'\\w])|(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\\\)]?|u(?:nion(?:[\\w(\\s]?select| select @)|ser\\s*?\\([^\\\\)]?)|s(?:chema\\s?\\([^\\\\)]?|elect.?\\w?user\\()|in ..." at ARGS:q. [file "../../../coreruleset-3.4-dev/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "200"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: User( found within ARGS:q: appUser(sitename,user)"] [severity "CRITICAL"] ["OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "*******************"]

Audit Logs / Triggered Rule Numbers

• CRS version (e.g., v3.2.0):
• Paranoia level setting: 1
• ModSecurity version (e.g., 2.9.3):
• Web Server and version (e.g., httpd 2.4.41):
• Operating System and version: RHEL 7.9

Confirmation

[ ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

Hi Guys,

I am getting this false positive when I click a particular tab in my website. Could you please help me that this rule can be removed or we have any other fix?

[azurit]

Hi @Shajinraj! Thanks for reporting this. Can you, please, post a full request log? You can enable logging in modsecurity.conf using SecAudit directives.

[azurit]

Ok, maybe it's not needed. If i'm looking correctly, this regexp from file regexp-942190.data is matching:
user\s*?\([^\)]*?

Maybe it can be rewritten into these two regexpes:

^user\s*?\([^\)]*?
[^a-z]user\s*?\([^\)]*?

[Shajinraj]

As we are new to OWASP CRS, Could you please help us that we can modify the regexp-942190.data and add the given fix or we need to add it an separate file as conf?

[azurit]

Edit file rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf, search for rule ID 942190 and change it's first line to this:

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\b(?:(?:c(?:onnection_id|urrent_user)|database)\s*?\([^\)]*?|u(?:nion(?:[\w(\s]*?select| select @)|ser\s*?\([^\)]*?)|s(?:chema\s*?\([^\)]*?|elect.*?\w?user\()|into[\s+]+(?:dump|out)file\s*?[\"'`]|from\W+information_schema\W|exec(?:ute)?\s+master\.)|[\"'`](?:;?\s*?(?:union\b\s*?(?:(?:distin|sele)ct|all)|having|select)\b\s*?[^\s]|\s*?!\s*?[\"'`\w])|\s*?exec(?:ute)?.*?\Wxp_cmdshell|\wiif\s*?\()" \

[dune73]

Please be aware that changing a rule file will prevent you from upgrading to a future version of the rule set.

It's usually better to address false positives with a rule exclusion. This technique is explained at length at https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/

[dune73]

Please be aware that changing a rule file will prevent you from upgrading to a future version of the rule set.

It's usually better to address false positives with a rule exclusion. This technique is explained at length at https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/

I'm closing this issue in favor of the pull request at #2078.