Author Topic: False-Positive report thread  (Read 26336 times)

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 365
False-Positive report thread
« on: May 07, 2014, 06:31:44 PM »
Please, specify these following fields when you submit False-Positive.

1. False-Positive RuleId
2. Web application + version
3. Request headers or at least debug log

You can mask some private data, but it is highly recommended that you specify ALL three fields.

Thank you.
« Last Edit: May 08, 2014, 04:16:11 AM by TDmitry »

Offline FugaziHimself

  • Newbie
  • *
  • Posts: 1
Re: False-Positive report thread
« Reply #1 on: June 09, 2014, 09:44:18 AM »
1.210710
2. owncloud-6.0.3-6.1
3. Sun Jun 08 15:05:32 2014] [error] [client xxxxx] ModSecurity: Access denied with code 403 (phase 1). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/opt/comodo/cwaf/rules/cwaf_01.conf"] [line "427"] [id "210710"] [msg "COMODO WAF: Request content type is not allowed by policy"] [data "application/octet-stream"] [severity "CRITICAL"] [hostname"] [uri "/remote.php/webdav/aaa.zip"] [unique_id "U5RfnDJ1B6wAAE1zL1AAAAAD"]

I have tried to exclude it with /opt/comodo/cwaf/etc/httpd/global/zzz_exclude_global.conf
<LocationMatch .*>
SecRuleRemoveById 210710
</LocationMatch>
<DirectoryMatch '^/remote.php/webdav/'>
   SecRuleEngine Off
</DirectoryMatch>

Doesnt work

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 365
Re: False-Positive report thread
« Reply #2 on: June 10, 2014, 12:01:43 PM »
1.210710
2. owncloud-6.0.3-6.1
3. Sun Jun 08 15:05:32 2014] [error] [client xxxxx] ModSecurity: Access denied with code 403 (phase 1). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/opt/comodo/cwaf/rules/cwaf_01.conf"] [line "427"] [id "210710"] [msg "COMODO WAF: Request content type is not allowed by policy"] [data "application/octet-stream"] [severity "CRITICAL"] [hostname"] [uri "/remote.php/webdav/aaa.zip"] [unique_id "U5RfnDJ1B6wAAE1zL1AAAAAD"]
...
Will be fixed with next update.

Offline intellitech

  • Newbie
  • *
  • Posts: 14
Re: False-Positive report thread
« Reply #3 on: June 11, 2014, 06:46:18 AM »
1. 211570
2. WHMCS Ver. 5.3.7
3. Request headers or at least debug log -
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 3932

Message: Access denied with code 403 (phase 2). Pattern match "(?i:\\b(?i:x{0,1}or)\\b[\\t\\n\\r ]{1,}('[^=]{1,10}'|[0-9]{1,10})[\\t\\n\\r ]{0,}?[<=>]|\\bor\\b {0,1}(?:[\"'][^=]{1,10}[\"']|[0-9]{1,10}) {0,1}[<=>]{1,}|\\b(?i:x{0,1}or)\\b[\\t\\n\\r ]{1,}('[^=]{1,10}'|[0-9]{1,10})|(?i:'[\\t\\n\\r ]{1,}x{0,1}or[\\t\\n ..." at ARGS:description. [file "/var/cpanel/cwaf/rules/cwaf_02.conf"] [line "301"] [id "211570"] [msg "COMODO WAF: SQL Injection Attack"] [data "Matched Data: or 56 found within ARGS:description: <ul>\x0d\x0a <li>Upto 256-bit encryption</li>\x0d\x0a <li>Highest Browser Recognition in the industry</li>\x0d\x0a <li>Automatic step-up for older browsers</li>\x0d\x0a <li>Stringent Business Verification</li>\x0d\x0a <li>Issued within 2 days</li>\x0d\x0a <li>Thawte Trusted Site Seal</li>\x0d\x0a <li>Unlimited Free Reissues</li>\x0d\x0a <li>Supports IDN</li>\x0d\x0a <li>Supports SGC and step-up Technology</li>\x0d\x0a</ul>\x0d\x0a<p>It offers al..."] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch:
Stopwatch2:
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); COMODO WAF: rules for Apache 2.4.
Server: Apache
Engine-Mode: "ENABLED"

Offline toenu

  • Newbie
  • *
  • Posts: 1
Re: False-Positive report thread
« Reply #4 on: June 18, 2014, 10:25:22 AM »
we ran into this false positive several times:

Code: [Select]
[Wed Jun 18 16:07:02 2014] [error] [client XX.XX.XX.XX] ModSecurity: Access denied with code 503 (phase 2). Match of "rx ^\\\\d+px$" against "ARGS:width" required. [file "/path/to/cwaf-rules/cwaf_05.conf"] [line "1171"] [id "220620"] [msg "COMODO WAF: found CVE-2013-5963"] [hostname "domain.com"] [uri "/home/wp-admin/admin-ajax.php"]

Offline tripflex

  • Newbie
  • *
  • Posts: 1
  • Tech & Code Junkie
    • sMyles
Re: False-Positive report thread
« Reply #5 on: August 14, 2014, 09:00:39 PM »
False Positive for WHMCS 5.3.7

1.) 213070
2.) WHMCS 5.3.7
3.)

Specifically on saving the https://domain.com/whmcs/configgeneral.php file

--0ccd566b-F--
HTTP/1.1 403 Forbidden
Content-Length: 344
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--0ccd566b-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:[\"'][ ]{0,}(([^a-z0-9 ':_~])|(in)).{0,}?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|( ..." at ARGS:emailglobalheader. [file "/var/cpanel/cwaf/rules/cwaf_03.conf"] [line "1093"] [id "213070"] [msg "COMODO WAF: IE XSS Filters - Attack Detected."] [data "Matched Data: \x22{$company_domain}\x22 target=\x22_blank\x22><img src=\x22{$company_logo_url}\x22 alt=\x22{$company_name}\x22 border= found within ARGS:emailglobalheader: <p><a href=\x22{$company_domain}\x22 target=\x22_blank\x22><img src=\x22{$company_logo_url}\x22 alt=\x22{$company_name}\x22 border=\x220\x22 />[/url]</p>"]
Action: Intercepted (phase 2)
Stopwatch: 1408063464225154 133149 (- - -)
Stopwatch2: 1408063464225154 133149; combined=84839, p1=300, p2=84445, p3=0, p4=0, p5=57, sr=50, sw=37, l=0, gc=0
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); COMODO WAF: rules for Apache 2.4.
Server: Apache
Engine-Mode: "ENABLED"


Offline JulesR

  • Newbie
  • *
  • Posts: 9
Re: False-Positive report thread
« Reply #6 on: August 27, 2014, 09:31:55 AM »
1. 211720
2. WHMCS 5.3.9.
3. Client couldn't submit a ticket within WHMCS. Log: http://pastebin.com/raw.php?i=YGbLx4dN

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375
Re: False-Positive report thread
« Reply #7 on: August 27, 2014, 11:01:41 AM »
The easiest way to avoid false-positive errors is excluding the rules:

Plugins - Comodo WAF -  Userdata - Custom Rules


SecRuleRemoveById 211570 211750 211790 etc


save and restart apache.

If you don't  use Cpanel, just write 

SecRuleRemoveById 211570 211750 211790 etc


in  /<path_to_cwaf>/cwaf/etc/httpd/custom_user.conf

save and restart apache. 

Offline JulesR

  • Newbie
  • *
  • Posts: 9
Re: False-Positive report thread
« Reply #8 on: August 27, 2014, 12:05:48 PM »
What a useless response. We know how to disable rules, the entire purpose of this thread is to REPORT the ones that are false positives.

Are you acknowledging these reports and planning to fix them or not?

Offline JulesR

  • Newbie
  • *
  • Posts: 9
Re: False-Positive report thread
« Reply #9 on: August 28, 2014, 04:54:40 AM »
1. 210800
2. Unknown.
3. www.clientdomain   client.ip   210800   [28/Aug/2014:03:46:48 +0000]
Access denied with code 403, [Rule: 'REQUEST_HEADERS:User-Agent' '[at]pmFromFile bl_scanners'] [id "210800"] [msg "COMODO WAF: Request Indicates a Security Scanner Scanned the Site"] [severity "CRITICAL"] [MatchedString "maparoscopy-bmnefits-150i150.jmg5os9xc6d=5157or/admgn/edit.php/bacfronds/1.p"]
[28/Aug/2014:03:46:48 +0000] - client.ip 55758 server.ip:80 80
--3038b690-B--
GET /wp-content/uploads/2014/08/Laparoscopy-Benefits-150x150.jpg HTTP/1.1
Host: www.clientdomain
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.clientdomain/wp-admin/post.php?post=12&action=edit
Cookie: __utma=2625461.1060887636.1370225041.1409186676.1409197476.102; __utmz=2625461.1386038835.21.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wp-settings-1=hidetb%3D1%26editor%3Dtinymce%26libraryContent%3Dbrowse%26urlbutton%3Dnone%26imgsize%3Dmedium%26wplink%3D1%26ed_size%3D473%26align%3Dnone%26advImgDetails%3Dshow; wp-settings-time-1=1409197572; wp-settings-time-5=1396490878; __utmc=2625461; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_68a9cfa0c6c32b3ba4523393dcde5701=admin%7C1410396318%7C954fc7b0d807f35875ce8b366531e67e; __utmb=2625461.6.10.1409197476
Connection: keep-alive

--3038b690-F--
HTTP/1.1 403 Forbidden

--3038b690-H--
Message: Access denied with code 403, [Rule: 'REQUEST_HEADERS:User-Agent' '[at]pmFromFile bl_scanners'] [id "210800"] [msg "COMODO WAF: Request Indicates a Security Scanner Scanned the Site"] [severity "CRITICAL"] [MatchedString "maparoscopy-bmnefits-150i150.jmg5os9xc6d=5157or/admgn/edit.php/bacfronds/1.p"]

Offline ionRules

  • Newbie
  • *
  • Posts: 7
Re: False-Positive report thread
« Reply #10 on: September 05, 2014, 12:49:44 AM »
I have two reports below. I apologize for the lack of info, but I just wanted to get something on record.

===========================================
1. Unknown

2. Miva Merchant 5.5
Production Release 8 Update 12
Miva Merchant Engine v5.20
http://mivamerchant.com

3. Unknown

The logs/modsec_audit.log is rotated daily, so I missed the log entries of the false positives. But I know they existed because I was getting reports of issues on these applications and when I disabled WAF on the domains running these applications the errors stopped immediately.


============================

1. Unknown

2. ExpressionEngine
https://ellislab.com/expressionengine

3. Unknown

Same issues with the logs having rotated before I could gather the data, unfortunately.


Offline webwzrd

  • Newbie
  • *
  • Posts: 8
Re: False-Positive report thread
« Reply #11 on: September 10, 2014, 09:07:05 PM »
1. 211170
2. SMF 2.0.8

Some Simple Forum members are getting blocked from logging in by this:

3.
ModSecurity:  [file "/etc/httpd/modsecurity.d/cwaf_02.conf"] [line "176"] [id "211170"] [msg "COMODO WAF: Session Fixation"] [data "Matched Data: http://www.domainName.com/ found within TX:1: www.domainName.com"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith %{request_headers.host}" against "TX:1" required. [hostname "domainName.com"] [uri "/forum/index.php"] [unique_id "VBDqUkE8MfIAAFWH5QEAAAAH"]

Please advise.

« Last Edit: September 10, 2014, 09:10:08 PM by webwzrd »

Offline webwzrd

  • Newbie
  • *
  • Posts: 8
Re: False-Positive report thread
« Reply #12 on: September 19, 2014, 09:54:45 AM »
Here's a couple more.

1. 214540 &214940
2. Joomla 2.5 while trying to access dtregister from admin
3.
ModSecurity:  [file "/etc/httpd/modsecurity.d/cwaf_04.conf"] [line "325"] [id "214540"] [msg "COMODO WAF: Possibly malicious iframe tag in output"] [data "Matched Data: <iframe id=\\x22google_externalSite\\x22 class=\\x22google_externalSite\\x22 name=\\x22google_externalSite\\x22 src=\\x22\\x22 style=\\x22display:none found within RESPONSE_BODY: <!DOCTYPE html PUBLIC \\x22-//W3C//DTD XHTML 1.0 Transitional//EN\\x22 \\x22http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\x22>\\x0a<html xmlns=\\x22http://www.w3.org/1999/xhtml\\x22 xml:lang=\\x22en-gb\\x22 lang=\\x22en-gb\\x22 dir=\\x22ltr\\x22 >\\x0a<head>\\x0a  <meta http-equiv=\\x22content-type\\x22 content=\\x22text/html; cha..."] [severity "ERROR"] Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe[^>]{1,}?\\\\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\"']{0,1}[^a-zA-Z0-9_]{0,}?\\\\bdisplay\\\\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\\\\bnone\\\\b" at RESPONSE_BODY. [hostname "www.domainName.com"] [uri "/administrator/index.php"] [unique_id "VBwzEriaLzIAADep51sAAAAB"]

ModSecurity:  [file "/etc/httpd/modsecurity.d/cwaf_04.conf"] [line "581"] [id "214940"] [msg "COMODO WAF: Outbound Points Exceeded (points 4)"] Warning. Operator GE matched 4 at TX:outgoing_points. [hostname "www.domainName.com"] [uri "/administrator/index.php"] [unique_id "VBwzEriaLzIAADep51sAAAAB"]

Offline JulesR

  • Newbie
  • *
  • Posts: 9
Re: False-Positive report thread
« Reply #13 on: November 06, 2014, 09:25:07 AM »
Vaultpress for Wordpress:

--44f5c96f-A--
[19/Aug/2014:01:11:48 +0000] - 207.198.112.23 52575 xxx.xxx.xxx.xxx:80 80
--44f5c96f-B--
POST /wp-load.php?vaultpress=true&action=ZXhlYw&doing_wp_cron=&wp-admin=&vector=1408410708.3984&ge=1 HTTP/1.1
User-Agent: Automattic/VaultPress/0.1
Host: www.hidden.tld
Accept: */*
Accept-Encoding: gzip
Content-Length: 899
Content-Type: multipart/form-data; boundary=------------------------5798377f1bdb8670

--44f5c96f-F--
HTTP/1.1 403 Forbidden

--44f5c96f-H--
Message: Blocked , [Rule: 'ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:html_message' '(alert|eval|fromcharcode)[\t\n\r ]{0,}\('] [id "212790"] [msg "COMODO WAF: XSS Attack Detected"] [severity "WARNING"] [MatchedString "$b="bas"; $b.="e64_d"; $b.="ecode"; return [at]eval( $b( "cmv0dxjuicr3cgrilt5nzxrfcmvzdwx0cyggilnftevdvcbkyxrlkcbgy29tbwvudf9kyxrlycapieftigbjb21tzw50x2rhdgvgicwgag91ciggygnvbw1lbnrfzgf0zwagksbbuybgy29tbwvudf9ob3vyycasigbjb21tzw50x2fwchjvdmvkycasignvdw50kcbgy29tbwvudf9jrgagksbbuybgy291bnrgiezst00gjhdwzgitpmnvbw1lbnrzifdirvjfigbjb21tzw50x2fwchjvdmvkycahpsanc3bhbscgqu5eignvbw1lbnrfzgf0zsa+icbeqvrfx1nvqihub3cokswgsu5urvjwquwgnjugrefzksbhuk9vucbcwsbkyxrlkcbgy29tbwvudf9kyxrlycapicwgag91ciggygnvbw1lbnrfzgf0zwagksasigbjb21tzw50x2fwchjvdmvkycbmsu1jvcaxmdawie9grlnfvcaxmdawiiapow==" ) );"]

--44f5c96f-Z--

Offline webjive

  • Comodo Member
  • **
  • Posts: 34
Re: False-Positive report thread
« Reply #14 on: November 17, 2014, 11:16:24 AM »
Rule 212740 is producing a false positive after the rules update to 1.2.1. We can no longer use the Joomla article preview option from the backend for our client websites. The plugin triggering this is http://www.nonumber.nl/extensions/betterpreview

2014-11-17 10:07:01    spectrat.webjiveclient.com    104.177.44.44       403     POST /index.php?option=com_content&view=article&id=27&yeepreview=1

[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/images/jpgs/araero.jpg"] [unique_id "VGodK63BEzIAAHFGXGYAAAAA"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "ip", key "104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/images/jpgs/araero.jpg"] [unique_id "VGodK63BEzIAAHFGXGYAAAAA"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/plugins/system/jcemediabox/themes/standard/popup.html"] [unique_id "VGodK63BEzIAAGdM5MkAAAAQ"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "ip", key "104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/plugins/system/jcemediabox/themes/standard/popup.html"] [unique_id "VGodK63BEzIAAGdM5MkAAAAQ"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/plugins/system/jcemediabox/themes/standard/tooltip.html"] [unique_id "VGodK63BEzIAAHBsUJMAAAAT"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "ip", key "104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/plugins/system/jcemediabox/themes/standard/tooltip.html"] [unique_id "VGodK63BEzIAAHBsUJMAAAAT"]
« Last Edit: November 17, 2014, 11:22:31 AM by webjive »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek