Author Topic: False-Positive report thread  (Read 23639 times)

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 357
Re: False-Positive report thread
« Reply #15 on: January 08, 2015, 06:43:51 AM »
Rule 212740 is producing a false positive after the rules update to 1.2.1. We can no longer use the Joomla article preview option from the backend for our client websites. The plugin triggering this is http://www.nonumber.nl/extensions/betterpreview

2014-11-17 10:07:01    spectrat.webjiveclient.com    104.177.44.44       403     POST /index.php?option=com_content&view=article&id=27&yeepreview=1

[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/images/jpgs/araero.jpg"] [unique_id "VGodK63BEzIAAHFGXGYAAAAA"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "ip", key "104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/images/jpgs/araero.jpg"] [unique_id "VGodK63BEzIAAHFGXGYAAAAA"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/plugins/system/jcemediabox/themes/standard/popup.html"] [unique_id "VGodK63BEzIAAGdM5MkAAAAQ"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "ip", key "104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/plugins/system/jcemediabox/themes/standard/popup.html"] [unique_id "VGodK63BEzIAAGdM5MkAAAAQ"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/plugins/system/jcemediabox/themes/standard/tooltip.html"] [unique_id "VGodK63BEzIAAHBsUJMAAAAT"]
[Mon Nov 17 10:07:07 2014] [error] [client 104.177.44.44] ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "ip", key "104.177.44.44_f299ccc9870697169883c2038cc870c47d5cdf62"). Use SecDataDir to define data directory first. [hostname "spectrat.webjiveclient.com"] [uri "/plugins/system/jcemediabox/themes/standard/tooltip.html"] [unique_id "VGodK63BEzIAAHBsUJMAAAAT"]

Possibly you have to define "SecDataDir ..." at you modsecurity config files.

Offline ozsup

  • Newbie
  • *
  • Posts: 18
Re: False-Positive report thread
« Reply #16 on: February 02, 2015, 02:27:17 AM »
LiteSpeed environment.

The below is the kickstart.php file used for the Joomla Akeeba backup service.

2015-02-02 17:50:27.010 [NOTICE] [192.168.5.71:16550-0#APVH_domain.org] mod_security rule triggered!
[Mon Feb  2 17:50:27 2015] [error] [client 192.168.5.71] ModSecurity: Access denied with code 403, [Rule: 'ARGS|!ARGS:/body/|!ARGS:/content/|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!ARGS:info' '(?i)([\s\"'`;\/0-9\=]+on\w+\s*=)'] [id "212010"] [msg "COMODO WAF: XSS Filter - Category 2: Event Handler Vector"]
2015-02-02 17:50:27.010 [NOTICE] [192.168.5.71:16550-0#APVH_domain.org] Content len: 4907, Request line: 'POST /kickstart.php HTTP/1.1'
2015-02-02 17:50:27.010 [INFO] [192.168.5.71:16550-0#APVH_domain.org] Cookie len: 65, 58bf0dd96a6bfc0a451f0be607c88ba5=e78fc17bdc12fb5a55cb351442a34e78
2015-02-02 17:50:27.010 [INFO] [192.168.5.71:16550-0#APVH_domain.org] File not found [/home/account/public_html/403.shtml]

Offline Hedloff

  • Comodo Loves me
  • ****
  • Posts: 149
Re: False-Positive report thread
« Reply #17 on: February 09, 2015, 03:48:12 AM »
We got issues on the bruteforce rule on wordpress on all litespeed servers. Even if we disable the rule, it still causes issues:
230000: COMODO WAF: Brute Force Attack Identified from %{tx.real_ip} (%{tx.brute_force_block_counter} hits since last alert)

It gives a Warning (403) error for all users.
Anyone else with same problem?

We're using latest Litespeed/cPanel: 4.2.21 Enterprise / WHM 11.48.0 (build 9).

This shows in modsecurity tools log in whm.

Offline naja7host

  • Newbie
  • *
  • Posts: 4
Re: False-Positive report thread
« Reply #18 on: February 11, 2015, 08:56:50 AM »
Rule iD 212000 , 212620 , 212870 , 212890 give false positive for adsense code when added via a post form .

Offline xanubi

  • Comodo Loves me
  • ****
  • Posts: 106
Re: False-Positive report thread
« Reply #19 on: February 26, 2015, 11:32:43 AM »
#1
FALSE POSITIVE on a Drupal Script:

Code: [Select]
221970: COMODO WAF: Reflected XSS attack (CVE-2014-5022)
Request: POST /?q=node/add/noticias
Action Description: Access denied with code 403 (phase 2).
Justification: String match "<" at ARGS_POST:body[und][0][value].
« Last Edit: February 26, 2015, 11:42:26 AM by xanubi »

Offline xanubi

  • Comodo Loves me
  • ****
  • Posts: 106
Re: False-Positive report thread
« Reply #20 on: February 26, 2015, 11:41:49 AM »
#2
FALSE POSITIVE, normal script made by a programmer:

Code: [Select]

211230: COMODO WAF: PHP Injection Attack
Request: GET /justapri/oficinas_externas/index.php?fopen=1&nfo=15020037
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i)(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b" at ARGS_NAMES:fopen.

Offline xanubi

  • Comodo Loves me
  • ****
  • Posts: 106
Re: False-Positive report thread
« Reply #21 on: February 27, 2015, 04:51:42 AM »
#3
FALSE POSITIVE, script  SePortal 2.5 (www.seportal.org)

Code: [Select]
211540: COMODO WAF: Blind SQL Injection Attack
Request: POST /login.php
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match "(?i:\\b(?:t(?:able_name\\b|extpos[^a-zA-Z0-9_]{1,}\\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o ..." at ARGS_NAMES:user_password.

Offline xanubi

  • Comodo Loves me
  • ****
  • Posts: 106
Re: False-Positive report thread
« Reply #22 on: February 27, 2015, 04:54:13 AM »
#4
FALSE POSITIVE, Joomla script, and i already opened and analysed the files, there is no shell at all:

Code: [Select]
ModSecurity: Access denied with code 403 (phase 3). String match "/images/" at REQUEST_FILENAME. [file "/var/cpanel/cwaf/rules/cwaf_07.conf"]
[line "72"] [id "240031"] [msg "COMODO WAF: Blocking execution of an uloaded shell in Joomla!"]
[hostname "www.SITE.COM"] [uri "/index.php/images/loading.gif"]

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 357
Re: False-Positive report thread
« Reply #23 on: February 27, 2015, 05:40:07 AM »
Thank you for your reports, but pay attention to false positive report requirements:
Please, specify these following fields when you submit False-Positive.

1. False-Positive RuleId
2. Web application + version
3. Request headers or at least debug log

You can mask some private data, but it is highly recommended that you specify ALL three fields.

Thank you.
Often we haven't enough information without request headers or debug log to fix false positive.

Offline xanubi

  • Comodo Loves me
  • ****
  • Posts: 106
Re: False-Positive report thread
« Reply #24 on: February 27, 2015, 12:58:09 PM »
I'm sorry Dmitry, but the logs don't save the Request Headers.

In that case, i cannot report the false positives and the only solution is to turn off the rules on that domains that are false positives.


Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 357
Re: False-Positive report thread
« Reply #25 on: March 02, 2015, 04:27:33 AM »
I'm sorry Dmitry, but the logs don't save the Request Headers.

In that case, i cannot report the false positives and the only solution is to turn off the rules on that domains that are false positives.
You can configure modsecurity to save audit.log or debug.log

Offline garconcn

  • Newbie
  • *
  • Posts: 13
Re: False-Positive report thread
« Reply #26 on: March 03, 2015, 07:40:08 PM »
Client upload image file in wordpress admin panel. The image file name contains a single quote.


[Tue Mar 03 11:04:44 2015] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\"';=]" at FILES:async-upload. [file "/var/cpanel/cwaf/rules/cwaf_01.conf"] [line "153"] [id "210220"] [msg "COMODO WAF: Attempted multipart/form-data bypass"] [data "We're all drivers 2.jpg"] [severity "CRITICAL"] [hostname "domain name"] [uri "/wp-admin/async-upload.php"] [unique_id "VPYFv0WhnQEAADCq2VYAAAAT"]

Offline SeLLeRoNe

  • Newbie
  • *
  • Posts: 5
Re: False-Positive report thread
« Reply #27 on: March 04, 2015, 10:19:50 AM »
Hi,

maybe this is a false positive (probably)

1 - Rule 214920
2 - SabreDAV 2.1.2 + Roundcube 1.0.5 and SabreDAV 2.1.2 + Thundebird 31.5.0

[Wed Mar 04 16:11:05.888770 2015] [:error] [pid 18017] [client myip] ModSecurity: Warning. Operator LT matched 5 at TX:incoming_points. [file "/usr/local/cwaf/rules/cwaf_04.conf"] [line "562"] [id "214920"] [msg "COMODO WAF: Inbound Points (Total Incoming Points: 3)"] [hostname "dav.myserver"] [uri "/index.php"] [unique_id "VPcgiV0-ojwAAEZhzRkAAAAC"]

Also i've noticed that i cant sync my android phone with dav anymore, i think is agent related, but no sure, no evidence in logs except for apache access log:

MYIP - - [04/Mar/2015:16:18:09 +0100] "OPTIONS /calendars/MYUSERACCOUNT/personal/ HTTP/1.1" 401 3868 "-" "CalDAV-Sync (Android) (like iOS/5.0.1 (9A405) dataaccessd/1.0) gzip"
MYIP - MYUSERACCOUNT [04/Mar/2015:16:18:09 +0100] "OPTIONS /calendars/MYUSERACCOUNT/personal/ HTTP/1.1" 200 277 "-" "CalDAV-Sync (Android) (like iOS/5.0.1 (9A405) dataaccessd/1.0) gzip"
MYIP - - [04/Mar/2015:16:18:09 +0100] "OPTIONS /calendars/MYUSERACCOUNT/personal/ HTTP/1.1" 401 3868 "-" "CalDAV-Sync (Android) (like iOS/5.0.1 (9A405) dataaccessd/1.0) gzip"
MYIP - MYUSERACCOUNT [04/Mar/2015:16:18:09 +0100] "OPTIONS /calendars/MYUSERACCOUNT/personal/ HTTP/1.1" 200 277 "-" "CalDAV-Sync (Android) (like iOS/5.0.1 (9A405) dataaccessd/1.0) gzip"

Hope those help you.

Regard

Offline xanubi

  • Comodo Loves me
  • ****
  • Posts: 106
Re: False-Positive report thread
« Reply #28 on: March 11, 2015, 08:59:33 PM »
False Positive:

Code: [Select]
[Thu Mar 12 00:44:20.715316 2015] [:error] [pid 633443:tid 139707937650432] [client 188.37.110.159] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:merge.*?using\\\\s*?\\\\()|(execute\\\\s*?immediate\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:\\\\W+\\\\d*?\\\\s*?having\\\\s*?[^\\\\s\\\\-])|(?:match\\\\s*?[\\\\w(),+-]+\\\\s*?against\\\\s*?\\\\())" at ARGS:about_background. [file "/var/cpanel/cwaf/rules/cwaf_02.conf"] [line "400"] [id "211720"] [msg "COMODO WAF: Detects MATCH AGAINST"] [data "Matched Data:  having t found within ARGS:about_background: <p>Back in 2000 I co-founded front.end, a digital agency in Portugal. Its small structure challenged me to solve many problems that required learning things outside of my comfort zone. I learned flash having to deliver a collection of games, web standards and accessibility landing projects for the portuguese government, and just about everything else in do-or-die scenarios.</p>\\x0d\\x0a\\x0d\\x0a<p>In this experience I've acquired knowledge in just..."] [severity "CRITICAL"] [hostname "site.com"] [uri "/wip3/processwire/page/edit/"] [unique_id "VQDhZMMIOpsACapjwSEAAAEV"]

Code: [Select]
--3dc1b82c-A--
[12/Mar/2015:00:44:20 +0000] VQDhZMMIOpsACapjwSEAAAEV 188.37.110.159 42781 195.8.58.158 6081
--3dc1b82c-B--
POST /wip3/processwire/page/edit/?id=1001 HTTP/1.1
Referer: http://heldercervantes.com/wip3/processwire/page/edit/?id=1001
Host: heldercervantes.com
Cookie: WireTabs=ProcessPageEditContent; cpsession=helderce%3aK4SQoVsktzNWArhkLc1Xck7yvYz159wLoAqSWY3Iz1X9PyY9AyL5BXv8SmWDgp1c%2c858a091fba04683c471e3d40d9e62f114276275c8161de8b2c582a2fcf7df1d1; langedit=; lang=; cprelogin=no; _ga=GA1.2.332721632.1424949039; wire=cjpmfa3oefec4loq595evt5ko4; wire_challenge=oogjXP0QiWUxMRXVyqh8ltUBFLDjtLGP1
X-Real-IP: 188.37.110.159
X-Forwarded-Host: heldercervantes.com
X-Forwarded-Server: heldercervantes.com
X-Forwarded-For: 188.37.110.159
Connection: close
Content-Length: 10530
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://site.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLu2pyuaB5eHG7Ar8
Accept-Language: en-GB,en;q=0.8,en-US;q=0.6,es;q=0.4,fr;q=0.2,it;q=0.2,pt;q=0.2,pt-PT;q=0.2
« Last Edit: March 11, 2015, 09:03:25 PM by xanubi »

Offline plusplus

  • Newbie
  • *
  • Posts: 7
Re: False-Positive report thread
« Reply #29 on: March 13, 2015, 10:25:12 AM »
False positive in cpanel mailman admin access and users app, rule 210730


---
---f686ff71-A--
[13/Mar/2015:15:05:51 +0000] VQL8z0RHh5IABq5Q[at]UUAAAAA 201.213.123.146 50769 68.71.135.146 80
--f686ff71-B--
GET /mailman/admindb/congregation_domainnamehere.com HTTP/1.1
Host: mail.domainnamehere.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-AR,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0

--f686ff71-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

--f686ff71-H--
Message: Access denied with code 403 (phase 2). String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_01.conf"] [line "455"] [id "210730"] [msg "COMODO WAF: URL file extension is restricted by policy"] [data ".com"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Apache-Handler: default-handler
Stopwatch: 1426259151407306 5924 (- - -)
Stopwatch2: 1426259151407306 5924; combined=1011, p1=729, p2=183, p3=0, p4=0, p5=98, sr=111, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); COMODO WAF: rules for Apache 2.4.
Server: Apache
Engine-Mode: "ENABLED"

--f686ff71-Z--
---

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek