-
-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rule 933120 FP: Common Words #3637
Comments
I would not call it an accident, but definitely something that will lead to false positives. Simply removing them - as you propose - is a straightforward solution, but we also loose detection capabilities that way. We do not really have a regex for php configuration directives, but the @pmf approach is hard to fix. Anybody has a proposal? |
I can confirm they were re-added in CRSv4 as part of the bug bounty see: https://github.com/coreruleset/coreruleset/pull/3028/files#diff-e08f25b74f02a4dfc08f6dbba996d2d811c0d67324c72c63ea97dd57e10f5af5R106 It doesn't look like these words are causing many false positives. I can't find any reports of this causing false positives, and I haven't encountered any personally. An easy fix would be to move these to PL-2, or we could move the false positive prone words to another rule using a regular expression that does something like this |
Same thinking here. I mean the rule looks for the keywords and then it goes on to match on @ssigwart have you seen FPs in the wild, or did you just stumble over the keywords when looking at the rules (which would be a perfectly valid reason for a report, it's more a question of perspective). |
Thanks, @dune73 and @EsadCetiner. I'm upgrading from version 3 to 4 now and was comparing them to thwart off potential FPs. Even with the
I don't know a ton about the vulnerability to know the impact, but I was thinking that requiring only whitespace after would cut down on a lot of FPs. It wouldn't stop the FP on |
That's a good price for the Cabin. Thanks for the context. Yes, FPs like this are totally possible. This rule does not necessarily look at an exploit but it searches requests for traces of PHP code. Also: Your thinking how to reduce likeliness of FPs is good, but unfortunately, this is very hard to express in ModSecurity rule language. The problems is we have the entire parameter and the only thing we we know is that somewhere in that parameter, there is one of the keywords. |
I'm not too familiar with the rule language, but would there be a way to change the chain rule to something like this:
I haven't gotten it to actually work, but if you could remove whitespace and then check for the matched word (e.g. "engine"), followed but an equal sign, that might solve this. |
Nice try, but this is not going to work. For one, I think @pmf does not do macros and I do not think you can put the match in the tx variable like to you tried. Well maybe, but it would be a lot of playing around with this and I lack the time right now. |
Yeah, I just got to the point where I noticed that macro expansion isn't supported for |
Maybe this, but I'm not sure if there's a way to escape the macro replacement for
|
This seems pretty good if it's okay to require only whitespace before the
|
From some testing, macro extension for
|
@ssigwart that looks to work but it's overengineered imo, each chained rule added makes a rule harder to read and negatively effects performance. I'd remove the false positive words from 933120 and create another rule 933121 that uses the aforementioned regex to avoid the false positive. |
I do not think the performance is an issue since the chained rules and the creation of TX variables etc. only ever happens after a hit in the first rule. So if this behaves correctly, I'm inclined to accept it. I mean the introduction of rule 933121 would mean an additional rule for every request at PL2 plus the FP now at PL2, while the new recipe above works around the FPs, allows us to maintain the keyword list without a separate manual exclusion list and does not add another rule at PL2. So I think this is actually better even if it's harder to read. And @ssigwart is showing impressive rule writing talent. I like this. |
Thanks, @dune73. Yes, I intentionally did the |
Hey 👋 So I think all problematic worlds in the list should be this ones (found using:
I have added the following rule as a work around:
|
@niklasweimann There's already a PR open here that should resolve this issue, but I'm not sure of the status of it. #3638 |
Thanks, @dune73. The May 20th meeting is in the middle of my workday, but thanks for the invite. |
I'm not sure if this is a case of 'works as designed', but I work a lot with SAML-related software and I see two clear cases for rule
Is this expected to hit this rule, or have I just hit an edge case that is fixable? |
This is potentially something we would want to cover, namely if it's a standard product. Please open a separate bug report and add as much details as possible, namely the name of said product. |
Description
rules/php-config-directives.data
has this comment:coreruleset/rules/php-config-directives.data
Line 14 in 9875b44
However, it does include "engine", "extension", and "precision". I'm guessing they were accidentally added in version 4.0.0.
Confirmation
[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: