Author Topic: False-Positive report thread  (Read 80056 times)

Offline amsscott

  • Newbie
  • *
  • Posts: 11
Re: False-Positive report thread
« Reply #180 on: May 08, 2017, 02:44:41 PM »
I am also seeing a higher than normal number of complaints regarding rules:

211000 211740 212010 212480 212490 218410 218550

causing more hindrance that helping.

This all seemed to have started with version 1.122.

Perhaps some of these captures are suppose to happen, but we are seeing more complaints about these rules since the 1.122 update.

Offline garconcn

  • Newbie
  • *
  • Posts: 16
Re: False-Positive report thread
« Reply #181 on: May 12, 2017, 05:21:07 PM »
I am also seeing a higher than normal number of complaints regarding rules:

211000 211740 212010 212480 212490 218410 218550

causing more hindrance that helping.

This all seemed to have started with version 1.122.

Perhaps some of these captures are suppose to happen, but we are seeing more complaints about these rules since the 1.122 update.
I am seeing the same issue, have to revert the rule version back

Offline limithat

  • Newbie
  • *
  • Posts: 17
Re: False-Positive report thread
« Reply #182 on: May 15, 2017, 08:11:43 AM »
I am seeing the same issue, have to revert the rule version back

Hello amsscott and garconcn ,

We are working on this issue and will get back to you soon . Please, specify the following fields when you submit False-Positive.

1. Web application + version
2. Request headers or at least audit log

You can mask some private data, but it is highly recommended that you specify these two fields.

Thank you.

Regards,
Comodo cWatch Web Support Team.

Offline H0sseiN

  • Newbie
  • *
  • Posts: 8
Re: False-Positive report thread
« Reply #183 on: May 15, 2017, 10:08:58 AM »
Hello,
which configuration in rule set should be off to disable below rules in litespeed rule set?

211000 211740 212010 212480 212490 218410 218550
« Last Edit: May 16, 2017, 08:19:24 AM by H0sseiN »

Offline Amar218

  • Newbie
  • *
  • Posts: 9
Re: False-Positive report thread
« Reply #184 on: May 17, 2017, 06:48:43 AM »
Rule 218550  generates false positive on Wordpress admin login -- I am seeing this on multiple sites. Tested and the rule was triggered immediately on my accessing the wp-admin (no other action on my part). (I have disabled the rule).

Sample message:
Code: [Select]
Request: GET /wordpress/wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common,admin-bar,jquery-ui-widget,jquery-ui-position,wp-pointer,wp-ajax-response,jquery-color,wp-lists,quicktags,jqu&load%5B%5D=ery-query,admin-comments,jquery-ui-core,jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,underscore,customize-base,customize&load%5B%5D=-loader,thickbox,plugin-install,wp-util,wp-a11y,updates,shortcode,media-upload,svg-painter,heartbeat,wp-auth-check,jquery-ui-dra&load%5B%5D=ggable,jquery-ui-droppable,jquery-effects-core,wplink,jquery-ui-menu,jquery-ui-autocomplete&ver=faa82ed2fa93e9cb72f05cb97b6db6f5
Action Description: Access denied with code 403 (phase 2).

Justification: Pattern match "(?i:(?:[\\d\\W]\\s+as\\s*?[\"'`\\w]+\\s*?from)|(?:^[\\W\\d]+\\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:(?:group_)concat|char|load_fi ..." at MATCHED_VAR.

I think it's triggering on Wordpress calls to functions like "updates" and "media-upload."




Offline Amar218

  • Newbie
  • *
  • Posts: 9
Re: False-Positive report thread
« Reply #185 on: May 22, 2017, 11:52:21 PM »
Rule 210380

CWAF v. 2.21, Rule set 1.123 

Code: [Select]
Request: POST /index.php?l=check_quickcheckout
Action Description: Access denied with code 403 (phase 2).
Justification: Invalid URL Encoding: Non-hexadecimal digits used at REQUEST_BODY.

From site logs, IP corresponds to logged in customer of shopping cart software;  customer complained that order could not be placed.

Offline PRO ISP

  • Newbie
  • *
  • Posts: 16
Re: False-Positive report thread
« Reply #186 on: June 02, 2017, 08:50:23 AM »
1. 212480
2. Concrete5 version 5.6.3.4
3. [Fri Jun 02 05:56:49.465017 2017] [:error] [pid 717640] [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i)<[^\\\\w<>]*(?:[^<>\\"'\\\\s]*:)?[^\\\\w<>]*(?:\\\\W*?s\\\\W*?c\\\\W*?r\\\\W*?i\\\\W*?p\\\\W*?t|\\\\W*?f\\\\W*?o\\\\W*?r\\\\W*?m|\\\\W*?s\\\\W*?t\\\\W*?y\\\\W*?l\\\\W*?e|\\\\W*?s\\\\W*?v\\\\W*?g|\\\\W*?m\\\\W*?a\\\\W*?r\\\\W*?q\\\\W*?u\\\\W*?e\\\\W*?e|(?:\\\\W*?l\\\\W*?i\\\\W*?n\\\\W*?k|\\\\W*?o\\\\W*?b\\\\W*?j\\\\W*?e\\ ..." at ARGS:blogBody. [file "/var/cpanel/cwaf/rules/08_XSS_XSS.conf"] [line "331"] [id "212480"] [rev "1"] [msg "COMODO WAF: NoScript XSS InjectionChecker: HTML Injection||domain.tld|F|2"] [data "Matched Data: <p><img src= found within ARGS:blogBody: <p><img src=\\x22/files/9514/9630/2818/C5DK_BP_uID-84_Pic_pop-designs-for-bedroom-roof-POP-ceiling-designs-with-lights.jpg\\x22 alt=\\x22\\x22 /></p>\\x0d\\x0a<p>\\xa0</p>"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "domain.tld"] [uri "/index.php/c5dk_blogging_post/save/"] [unique_id "WTDiAdWi8B4ACvNIY[at]0AAAAD"]
« Last Edit: June 02, 2017, 09:35:46 AM by Titans »

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 370
Re: False-Positive report thread
« Reply #187 on: June 02, 2017, 10:38:57 AM »
Actually this is not a false positive. Somebody trying to pass part of HTML as argument and it is blocked by rule which prevents HTML injection. So if you believe that this is False Positive then you can disable this rule.

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 370
Re: False-Positive report thread
« Reply #188 on: June 02, 2017, 10:41:58 AM »
1. 212480
2. Concrete5 version 5.6.3.4
3. [Fri Jun 02 05:56:49.465017 2017] [:error] [pid 717640] [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i)<[^\\\\w<>]*(?:[^<>\\"'\\\\s]*:)?[^\\\\w<>]*(?:\\\\W*?s\\\\W*?c\\\\W*?r\\\\W*?i\\\\W*?p\\\\W*?t|\\\\W*?f\\\\W*?o\\\\W*?r\\\\W*?m|\\\\W*?s\\\\W*?t\\\\W*?y\\\\W*?l\\\\W*?e|\\\\W*?s\\\\W*?v\\\\W*?g|\\\\W*?m\\\\W*?a\\\\W*?r\\\\W*?q\\\\W*?u\\\\W*?e\\\\W*?e|(?:\\\\W*?l\\\\W*?i\\\\W*?n\\\\W*?k|\\\\W*?o\\\\W*?b\\\\W*?j\\\\W*?e\\ ..." at ARGS:blogBody. [file "/var/cpanel/cwaf/rules/08_XSS_XSS.conf"] [line "331"] [id "212480"] [rev "1"] [msg "COMODO WAF: NoScript XSS InjectionChecker: HTML Injection||domain.tld|F|2"] [data "Matched Data: <p><img src= found within ARGS:blogBody: <p><img src=\\x22/files/9514/9630/2818/C5DK_BP_uID-84_Pic_pop-designs-for-bedroom-roof-POP-ceiling-designs-with-lights.jpg\\x22 alt=\\x22\\x22 /></p>\\x0d\\x0a<p>\\xa0</p>"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "domain.tld"] [uri "/index.php/c5dk_blogging_post/save/"] [unique_id "WTDiAdWi8B4ACvNIY[at]0AAAAD"]
Rule has been removed, please update your rules.

Offline Hedloff

  • Comodo Loves me
  • ****
  • Posts: 156
Re: False-Positive report thread
« Reply #189 on: June 02, 2017, 10:49:21 AM »
Customer tried to post something in Concrete5 and it was not working. So rule 212480 was false positive!
Customer said: just ïmg? tag or ?iframe? tagsubmitted from editor leads to forbidden error. We are using post method in form.

Rule has been removed, please update your rules.
-> You mean we should:
cd /var/cpanel/cwaf/scripts/
./updater.pl -w

Even though we have latest ruleset?

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 370
Re: False-Positive report thread
« Reply #190 on: June 02, 2017, 11:02:10 AM »
...
Even though we have latest ruleset?

Yes, this rule doesn't present in latest ruleset (v1.125). Can you check one more time?

Offline Hedloff

  • Comodo Loves me
  • ****
  • Posts: 156
Re: False-Positive report thread
« Reply #191 on: June 02, 2017, 11:47:42 AM »
Ok, didn't find the rule now. But I did upgrade the ruleset earlier.
But is it possible that when you release new rulesets that you include rule id that are removed in the changelog in the future? :)

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 370
Re: False-Positive report thread
« Reply #192 on: June 06, 2017, 04:40:49 AM »
Ok, didn't find the rule now. But I did upgrade the ruleset earlier.
But is it possible that when you release new rulesets that you include rule id that are removed in the changelog in the future? :)
It is under blurred "FP fix" phrase. Anyway, this won't happen too often.

Offline PRO ISP

  • Newbie
  • *
  • Posts: 16
Re: False-Positive report thread
« Reply #193 on: June 16, 2017, 09:12:53 AM »


1. 218530

2.  Plugin version=2.21
     Installed rules version=1.126
     Available rules version=1.127
     Installed for web platform=Apache

3. [Fri Jun 16 10:20:09.315989 2017] [:error] [pid 575654] [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\\\.\\\\.sysdatabases|ysql\\\\.db)\\\\b|s(?:ys(?:\\\\.database_name|aux)\\\\b|chema(?:\\\\W*\\\\(|_name\\\\b)|qlite(_temp)?_master\\\\b) ..." at ARGS:editor_database_recordrow_1027. [file "/var/cpanel/cwaf/rules/24_SQL_SQLi.conf"] [line "74"] [id "218530"] [rev "3"] [msg "COMODO WAF: SQL Injection Attack: Common DB Names Detected||lowepost.com|F|2"] [data "Matched Data: database( found within ARGS:editor_database_recordrow_1027: {{$rowIds = array();}}\\x0a{{foreach $rows as $row}}\\x0a\\x09{{$idField = $row::$databaseColumnId;}}\\x0a\\x09{{$rowIds[] = $row->$idField;}}\\x0a{{endforeach}}\\x0a{{$iposted = ( $table AND method_exists( $table, 'container' ) AND $table->container() !== NULL ) ? $table->container()->contentPostedIn( null, $rowIds ) : array();}}\\x0a\\x0a{{foreach $rows as $row}}\\x0a\\x09{{$idField = $row::$databaseColumnId;}}\\x0a\\x09<li cla [hostname "******"] [uri "/admin/"] [unique_id "WUOUuKSEpNwACMim7GsAAAAH"]
« Last Edit: June 16, 2017, 09:57:43 AM by Titans »

Offline limithat

  • Newbie
  • *
  • Posts: 17
Re: False-Positive report thread
« Reply #194 on: June 23, 2017, 09:11:17 AM »
Hello Titans ,

We are working on your issue and will get back to you as soon as possible.

Thanks and Regards,
Comodo cWatch Web Support Team.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek