Author Topic: False-Positive report thread  (Read 80057 times)

Offline PRO ISP

  • Newbie
  • *
  • Posts: 16
Re: False-Positive report thread
« Reply #135 on: February 20, 2017, 08:01:05 AM »
1. False-Positive RuleId = 211230

2. Web application + version = wp_version = 4.7.2

3.Request headers or at least debug log



--2ed45f8b-F--
HTTP/1.0 403 Forbidden^M
^M
--2ed45f8b-H--
Message: Access denied with code 403 (phase 2). Test 'REQUEST_HEADERS:User-Agent' against '(?i:(?:^(?:microsoft url|user-Agent|www\.weblogs\.com|(?:jakart|vi)a|(google|i{0,1}explorer{0,1}\.exe|(ms){0,1}ie( [0-9.]{1,}){0,1} {0,1}(compatible( browser){0,1}){0,1})$)|\bdatacha0s\b|; widows|\\\r|a(?: href=|d(?:sarobot|vanced email extractor)|gdm79[at]mail\.ru|miga-aweb/3\.4|t(?:hens|tache|(?:omic_email_hunt|spid)er)|utoemailspider)|b(?:ackdoor|lack hole|utch__2\.1\.1|wh3_user_agent)|c(?:h(?:e(?:esebot|rrypicker)|ina(?: local browse 2\.|claw))|o(?:mpatible(?: ;(?: msie|\.)|-)|n(?:cealed defense|t(?:actbot/|entsmartz)|veracrawler)|py(?:guard|rightcheck)|re-project/1.0)|rescent internet toolpak)|d(?:ig(?:imarc webreader|out4uagent)|ts agent)|e(?:ducate search vxb|mail(?:siphon|wolf|(?: extracto|reape)r|(siphon|spider)|(?:collec|harves|magne)t)|o browse|xtractorpro|(?:collecto|irgrabbe)r)|f(?:a(?:xobot|(?:ntombrows|stlwspid)er)|loodgate|oobar/|ull web bot|(?:iddle|ranklin locato)r)|g(?:ameBoy, powered by nintendo|ecko/25|rub(?: crawler|-client))|h(?:anzoweb|hjhj[at]yahoo|l_ftien_spider)|i(?:n(?:dy library|ternet(?: (?:exploiter sux|ninja)|-exprorer))|sc systems irc search 2\.1)|kenjin spider|larbin[at]unspecified|m(?:ailto:craftbot[at]yahoo\.com|i(?:crosoft (?:internet explorer/5\.0$|url control)|ssigua)|o(?:r(?:feus flipping* scanner|zilla)|siac 1.|zilla/3\.mozilla/2\.01$)|urzillo compatible)|n(?:ameofagent|e(?:ssus|(?:uralbot/0\.|wt activeX; win3)2)|ikto|o(?: browser|kia-waptoolkit.{0,} googlebot.{0,}googlebot))|p(?:a(?:ckrat|nscient\.com)|cbrowser|e 1\.4|leasecrawl/1\.|mafind|oe-component-client|ro(?:duction bot|gram shareware 1\.0\.|webwalker)|s(?:urf|ycheclone))|rsync|s(?:\.t\.a\.l\.k\.e\.r\.|afexplorer tl|e(?:archbot admin[at]google.com|curity scan)|hai|itesnagger|(?:tress tes|urveybo)t)|t(?:ele(?:port pro|soft)|oata dragostea mea pentru diavola|uring machine|(?: {0,1}h {0,1}a {0,1}t {0,1}' {0,1}s g {0,1}o {0,1}t {0,1}t {0,1}a {0,1} h {0,1}u {0,1}r {0,1}|akeou|his is an exploi)t)|u(?:nder the rainbow 2\.|ser-agent:)|v(?:adixbot|oideye)|w(?:3mir|e(?:b(?: (?:by mail|downloader)|emailextract{0,1}|mole|vulnscan|(?:bandi|(?:altb|ro)o)t)|lls search ii|p Search 00)|i(?:ndows(?:-update-agent)|se(?:nut){0,1}bot)|ordpress(?: hash grabber|/4\.01))|zeus(?: .{0,}webster pro){0,1}|[a-z]surf[0-9][0-9]|(?:$botname/$botvers|(script|sql) inject)ion|(compatible ; msie|msie .{1,}; .{0,}windows xp)|(?:8484 boston projec|xmlrpc exploi)t|(sogou develop spider|sohu agent)|(?:demo bot|(?:d|e)browse)|(libwen-us|myie2|murzillo compatible|webaltbot|wisenutbot)))' is true. [file "/var/cpanel/cwaf/rules/02_Global_Agents.conf"] [line "31"] [id "210831"] [msg "COMODO WAF: Rogue web site crawler"] [severity "WARNING"] [MatchedString "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.13) Gecko/2009073022 Firefox/3.5.2 (.NET CLR 3.5.30729) SurveyBot/2.3 (DomainTools)"]^M

Offline Harinarayanan

  • Comodo's Hero
  • *****
  • Posts: 919
Re: False-Positive report thread
« Reply #136 on: March 02, 2017, 07:14:02 AM »
Given Rule-id:211230, Doesnt matches with the Rule-id:210831 in the audit log, Please give us the exact one to process false-positive.

Regards,
Harinarayanan

Offline PRO ISP

  • Newbie
  • *
  • Posts: 16
Re: False-Positive report thread
« Reply #137 on: March 02, 2017, 08:25:57 AM »
Hi,

Please see the updated log,

1. False-Positive RuleId = 211230

2. Web application + version = wp_version = 4.7.2

3.Request headers or at least debug log

``
[Mon Feb 20 09:07:42 2017] [error] [client 213.x.x.x] ModSecurity: Access denied with code 403, [Rule: 'ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/' '(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b'] [id "211230"] [msg "COMODO WAF: PHP Injection Attack"]


[Mon Feb 20 09:07:57 2017] [error] [client 213.x.x.x] ModSecurity: Access denied with code 403, [Rule: 'ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/' '(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b'] [id "211230"] [msg "COMODO WAF: PHP Injection Attack"]

``

Offline lucasrolff

  • Newbie
  • *
  • Posts: 3
Re: False-Positive report thread
« Reply #138 on: April 07, 2017, 12:52:01 AM »
Rule ID: 217220

Web Application: Everything

Request Headers:

--9078f749-A--
[07/Apr/2017:01:10:49 +0200] WObK[at]WL4k6vGHmMXt81AxgAAAcw 91.150.235.9 45918 193.70.73.15 443
--9078f749-B--
POST /produkt/led-stripe-remote-farveskift-5m?wc-ajax=get_refreshed_fragments HTTP/1.1
Host: xxxxxxxx.dk
Connection: keep-alive
Content-Length: 0
Accept: */*
Origin: https://xxxxxxxx.dk
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-G925F Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/117.0.0.18.47;]
Referer: https://xxxxxxxx.dk/produkt/led-stripe-remote-farveskift-5m
Accept-Encoding: gzip, deflate
Accept-Language: da-DK,en-US;q=0.8
Cookie: vb-user=9d00d020-0c2c-11e7-94f2-cf255046ddeb; _ga=GA1.2.594329631.1489877140; _gat=1

--9078f749-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 16932
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

--9078f749-H--
Message: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo-apache/12_HTTP_Protocol.conf"] [line "139"] [id "217270"] [rev "2"] [msg "COMODO WAF: Request Containing Content, but Missing Content-Type header||xxxxxxxx.dk|F|2"] [data "REQUEST_HEADERS=0"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch: 1491520249587923 11476 (- - -)
Stopwatch2: 1491520249587923 11476; combined=734, p1=241, p2=437, p3=0, p4=0, p5=56, sr=30, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--9078f749-Z--





-------------------------

This issue happens for *a lot* of software, in just 5 hours we managed to block about 10k IPs due to this rule..

Offline af

  • Newbie
  • *
  • Posts: 2
Re: False-Positive report thread
« Reply #139 on: April 07, 2017, 06:30:34 AM »
Similar to lucasrolff report. This ID 217270.

2 things here:

1.
RFC7231 does not *require* a Content-Type header. This is fine if you're happy to be stricter than the RFC, but you're probably going to cause a lot of FP by having this as a default behaviour.
http://httpwg.org/specs/rfc7231.html#header.content-type

2.
The rule checks for a Content-Length header and if this doesn't exist and also no Content-Type header is found, the rule matches.
However, a Content-Length header can have a value of 0, in which case no content and therefore no Content-Type required.

This (2) is the default behaviour of xmlhttprequests from Safari and Chrome, so this rule change is denying a huge amount of requests.

Please address this ASAP.

Code: [Select]
--27f99c18-B--
POST /app/uri HTTP/1.1
host: www.example.com
content-length: 0
accept: */*
origin: https://www.example.com
x-requested-with: XMLHttpRequest
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
referer: https://www.example.com/app
accept-encoding: gzip, deflate, br
accept-language: en,en-US;q=0.8,fr;q=0.6,sv;q=0.4,it;q=0.2

--27f99c18-F--
HTTP/1.1 403 Forbidden

--27f99c18-H--
Message: Access denied with code 403 (phase 2). Test '&REQUEST_HEADERS:Content-Type' against '[at]eq 0' is true. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_litespeed/12_HTTP_Protocol.conf"] [line "1
22"] [id "217270"] [msg "COMODO WAF: Request Containing Content, but Missing Content-Type header"] [severity "CRITICAL"] [MatchedString "0"]

Offline joaam

  • Newbie
  • *
  • Posts: 13
Re: False-Positive report thread
« Reply #140 on: April 07, 2017, 07:07:42 AM »
Hi,

1. how can i update it on cpanel ?

2. i also get the 217270 ,even i disable it via cmc,but the number is still shown.

thanks
« Last Edit: April 07, 2017, 07:09:50 AM by joaam »

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375
Re: False-Positive report thread
« Reply #141 on: April 07, 2017, 08:51:24 AM »
Similar to lucasrolff report. This ID 217270.

2 things here:

1.
RFC7231 does not *require* a Content-Type header. This is fine if you're happy to be stricter than the RFC, but you're probably going to cause a lot of FP by having this as a default behaviour.
http://httpwg.org/specs/rfc7231.html#header.content-type

2.
The rule checks for a Content-Length header and if this doesn't exist and also no Content-Type header is found, the rule matches.
However, a Content-Length header can have a value of 0, in which case no content and therefore no Content-Type required.

This (2) is the default behaviour of xmlhttprequests from Safari and Chrome, so this rule change is denying a huge amount of requests.

Please address this ASAP.

Code: [Select]
--27f99c18-B--
POST /app/uri HTTP/1.1
host: www.example.com
content-length: 0
accept: */*
origin: https://www.example.com
x-requested-with: XMLHttpRequest
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
referer: https://www.example.com/app
accept-encoding: gzip, deflate, br
accept-language: en,en-US;q=0.8,fr;q=0.6,sv;q=0.4,it;q=0.2

--27f99c18-F--
HTTP/1.1 403 Forbidden

--27f99c18-H--
Message: Access denied with code 403 (phase 2). Test '&REQUEST_HEADERS:Content-Type' against '[at]eq 0' is true. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_litespeed/12_HTTP_Protocol.conf"] [line "1
22"] [id "217270"] [msg "COMODO WAF: Request Containing Content, but Missing Content-Type header"] [severity "CRITICAL"] [MatchedString "0"]

In this case our rules are used as ModSecurity Vendor. So, to disable this rule, you need to disable file 12_HTTP_Protocol.conf

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375
Re: False-Positive report thread
« Reply #142 on: April 07, 2017, 08:55:14 AM »
Hi,

1. how can i update it on cpanel ?

2. i also get the 217270 ,even i disable it via cmc,but the number is still shown.

thanks

1) To update you can use script /var/cpanel/cwaf/scripts/updater.pl
2) Please, check  /var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf.
Is there 217270 in it? If yes, tell us if web-server was restarted or not.


Offline joaam

  • Newbie
  • *
  • Posts: 13
Re: False-Positive report thread
« Reply #143 on: April 07, 2017, 08:59:49 AM »
1) To update you can use script /var/cpanel/cwaf/scripts/updater.pl
2) Please, check  /var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf.
Is there 217270 in it? If yes, tell us if web-server was restarted or not.

Hi,

i run the command but fail

dsef[at]sd4555 [/var/cpanel]#  /var/cpanel/cwaf/scripts/updater.pl
-bash: /var/cpanel/cwaf/scripts/updater.pl: No such file or directory

Offline af

  • Newbie
  • *
  • Posts: 2
Re: False-Positive report thread
« Reply #144 on: April 07, 2017, 09:03:24 AM »
In this case our rules are used as ModSecurity Vendor. So, to disable this rule, you need to disable file 12_HTTP_Protocol.conf

Yes, I understand this.

What I'm saying is that the rule is bad. Aside from being non-RFC compliant (Content-Type is not required), your rule takes action when the Content-Length is 0, which should not happen. If the Content-Length is missing or is zero, and there is no content, a Content-Type header is not required and therefore should not be enforced.


Offline BeZazz

  • Comodo Member
  • **
  • Posts: 28
Re: False-Positive report thread
« Reply #145 on: April 07, 2017, 09:10:57 AM »
Every server I have checked, is blocking based on the rule
217270
trouble is using Comodos client I can not remove the rule as it says
(No rule found for id (217270)


Offline joaam

  • Newbie
  • *
  • Posts: 13
Re: False-Positive report thread
« Reply #146 on: April 07, 2017, 09:16:33 AM »
Every server I have checked, is blocking based on the rule
217270
trouble is using Comodos client I can not remove the rule as it says
(No rule found for id (217270)

how do you remove ?

Offline BeZazz

  • Comodo Member
  • **
  • Posts: 28
Re: False-Positive report thread
« Reply #147 on: April 07, 2017, 09:21:55 AM »
how do you remove ?
I am not sure.

I rolled back the rules on one server to test.

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375
Re: False-Positive report thread
« Reply #148 on: April 07, 2017, 11:34:43 AM »
Hi,

i run the command but fail

dsef[at]sd4555 [/var/cpanel]#  /var/cpanel/cwaf/scripts/updater.pl
-bash: /var/cpanel/cwaf/scripts/updater.pl: No such file or directory

Please, show me result of:

Code: [Select]
# ls -la /var/cpanel/cwaf/scripts/

Offline azizarnold

  • Newbie
  • *
  • Posts: 5
    • Hostking
Re: False-Positive report thread
« Reply #149 on: April 07, 2017, 11:39:24 AM »
Same issue here. None of our customers on any of our servers could update Pages or Posts in Wordpress due to this error.

When we disabled the rule "217270" after checking apache logs all seemed to be fine again.

So something going on there.
Hostking| Since 2013 | South Africa  | Secure Web hosting
Domains • Shared • Reseller • VPS • Backups • cPanel

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek