Author Topic: False-Positive report thread  (Read 27396 times)

Offline PRO ISP

  • Newbie
  • *
  • Posts: 16
Re: False-Positive report thread
« Reply #225 on: November 13, 2017, 09:36:29 PM »
1. False-Positive RuleId

214530

2. Web application + version NA

3. Request headers or at least debug log/modsec_audit.log
 ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe height=\\\\x2260\\\\x22 width=\\\\x221 found within RESPONSE_BODY: <!DOCTYPE html>\\\\x0d\\\\x0a<html lang=\\\\x22en\\\\x22>\\\\x0d\\\\x0a<head>\\\\x0d\\\\x0a\\\\x0d\\\\x0a<link rel=\\\\x22shortcut icon\\\\x22 href=\\\\x22assets/images/minibilde.png\\\\x22/>\\\\x0d\\\\x0a\\\\x0d\\\\x0a<title>Ben og Chris | Official Website</title>\\\\x0d\\\\x0a<meta name=\\\\x22description\\\\x22 content=\\\\x22Ben og Chris | Musikkgruppe fra Oppland som prod [hostname "xxxx.com"] [uri "/index.php"] [unique_id "WgpH16wVE[at]xlQLsYbs99TwAAAJg"]
Host: xxxx.com

Message: Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe\\s+(?!src=\\x22//www\\.googletagmanager\\.com)[^>]{1,}?\\b(?:height|width)\\b[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\x22']{0,1}[^\\x22'123456789]{0,}?(?:[0123](?:\\.[0-9]{0,}){0,1}%|(?:1{0,1}[0-9](?:\\.[0-9]{0,}){0,1}|20)(?![0- ..." at RESPONSE_BODY. [file "/var/cpanel/cwaf/rules/21_Outgoing_FilterInFrame.conf"] [line "14"] [id "214530"] [rev "3"] [msg "COMODO WAF: Possibly malicious iframe tag in output||xxxx.com|F|4"] [data "Matched Data: <!-- ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe height=\x2260\x22 width=\x221 found within RESPONSE_BODY: <!DOCTYPE html>\x0d\x0a<html lang=\x22en\x22>\x0d\x0a<head>\x0d\x0a\x0d\x0a<link rel=\x22shortcut icon\x22 href=\x22assets/images/minibilde.png\x22/>\x0d\x0a\x0d\x0a<title>Ben og Chris | Official Website</title>\x0d\x0a<meta name=\x22description\x22 content=\x22Ben og Chris | Musikkgruppe fra Oppland som prod

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe\\\\\\\\s+(?!src=\\\\\\\\x22//www\\\\\\\\.googletagmanager\\\\\\\\.com)[^>]{1,}?\\\\\\\\b(?:height|width)\\\\\\\\b[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\\\\\\\x22']{0,1}[^\\\\\\\\x22'123456789]{0,}?(?:[0123](?:\\\\\\\\.[0-9]{0,}){0,1}%|(?:1{0,1}[0-9](?:\\\\\\\\.[0-9]{0,}){0,1}|20)(?![0- ..." at RESPONSE_BODY. [file "/var/cpanel/cwaf/rules/21_Outgoing_FilterInFrame.conf"] [line "14"] [id "214530"] [rev "3"] [msg "COMODO WAF: Possibly malicious iframe tag in output||xxx.com|F|4"] [data "Matched Data: <!-- ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe
turned off rule

Offline SergeiP

  • Moderator
  • Comodo Family Member
  • *****
  • Posts: 94
Re: False-Positive report thread
« Reply #226 on: November 15, 2017, 06:02:17 AM »
1. False-Positive RuleId

214530

2. Web application + version NA

3. Request headers or at least debug log/modsec_audit.log
 ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe height=\\\\x2260\\\\x22 width=\\\\x221 found within RESPONSE_BODY: <!DOCTYPE html>\\\\x0d\\\\x0a<html lang=\\\\x22en\\\\x22>\\\\x0d\\\\x0a<head>\\\\x0d\\\\x0a\\\\x0d\\\\x0a<link rel=\\\\x22shortcut icon\\\\x22 href=\\\\x22assets/images/minibilde.png\\\\x22/>\\\\x0d\\\\x0a\\\\x0d\\\\x0a<title>Ben og Chris | Official Website</title>\\\\x0d\\\\x0a<meta name=\\\\x22description\\\\x22 content=\\\\x22Ben og Chris | Musikkgruppe fra Oppland som prod [hostname "xxxx.com"] [uri "/index.php"] [unique_id "WgpH16wVE[at]xlQLsYbs99TwAAAJg"]
Host: xxxx.com

Message: Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe\\s+(?!src=\\x22//www\\.googletagmanager\\.com)[^>]{1,}?\\b(?:height|width)\\b[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\x22']{0,1}[^\\x22'123456789]{0,}?(?:[0123](?:\\.[0-9]{0,}){0,1}%|(?:1{0,1}[0-9](?:\\.[0-9]{0,}){0,1}|20)(?![0- ..." at RESPONSE_BODY. [file "/var/cpanel/cwaf/rules/21_Outgoing_FilterInFrame.conf"] [line "14"] [id "214530"] [rev "3"] [msg "COMODO WAF: Possibly malicious iframe tag in output||xxxx.com|F|4"] [data "Matched Data: <!-- ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe height=\x2260\x22 width=\x221 found within RESPONSE_BODY: <!DOCTYPE html>\x0d\x0a<html lang=\x22en\x22>\x0d\x0a<head>\x0d\x0a\x0d\x0a<link rel=\x22shortcut icon\x22 href=\x22assets/images/minibilde.png\x22/>\x0d\x0a\x0d\x0a<title>Ben og Chris | Official Website</title>\x0d\x0a<meta name=\x22description\x22 content=\x22Ben og Chris | Musikkgruppe fra Oppland som prod

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 4). Pattern match "<[^a-zA-Z0-9_]{0,}iframe\\\\\\\\s+(?!src=\\\\\\\\x22//www\\\\\\\\.googletagmanager\\\\\\\\.com)[^>]{1,}?\\\\\\\\b(?:height|width)\\\\\\\\b[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\\\\\\\\x22']{0,1}[^\\\\\\\\x22'123456789]{0,}?(?:[0123](?:\\\\\\\\.[0-9]{0,}){0,1}%|(?:1{0,1}[0-9](?:\\\\\\\\.[0-9]{0,}){0,1}|20)(?![0- ..." at RESPONSE_BODY. [file "/var/cpanel/cwaf/rules/21_Outgoing_FilterInFrame.conf"] [line "14"] [id "214530"] [rev "3"] [msg "COMODO WAF: Possibly malicious iframe tag in output||xxx.com|F|4"] [data "Matched Data: <!-- ---------------------------------------------------------------------------------------------------- -->   <!-- <iframe
turned off rule

If you have some complications with setup of CWAF, you can create account on https://support.comodo.com/ and create ticket related to WAF Support.

Offline Hedloff

  • Comodo Loves me
  • ****
  • Posts: 153
Re: False-Positive report thread
« Reply #227 on: November 15, 2017, 07:47:22 AM »
If you have some complications with setup of CWAF, you can create account on https://support.comodo.com/ and create ticket related to WAF Support.

Titans just reported a FS for your rules. Why did you respond with that answer?

Offline SergeiP

  • Moderator
  • Comodo Family Member
  • *****
  • Posts: 94

Offline lord alibaski

  • Newbie
  • *
  • Posts: 1
Re: False-Positive report thread
« Reply #229 on: November 26, 2017, 02:15:53 PM »
Hi would like to thank all help with this 1st time had trouble with this. My hosting sent me here because I have had to disable the Mod Security inside whm reason it's giving me a false positive from my smf forum which is causing major issue when posting a topic.

WHM
Original Id - 217280


SecRule ARGS_NAMES|ARGS|XML:/*|!ARGS:/content/ "[at]pm get post head options connect put delete trace propfind propatch mkcol copy move lock unlock" \
   "id:217280,chain,msg:'COMODO WAF: HTTP Request Smuggling Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:2,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule MATCHED_VAR "[at]rx (?:\n|\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+" \
   "setvar:'tx.points=+%{tx.points_limit4}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"


Request:   POST /index.php?action=post2;start=0;msg=50310;eb6c3d7af24=89ab22e1f6b8290ed75a236b24396dee;board=4
Action Description:   Access denied with code 403 (phase 2).
Justification:   Pattern match "(?:\\n|\\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+" at MATCHED_VAR.


Request:   GET /
Action Description:   Access denied with code 403 (phase 2).
Justification:   Match of "rx ^(?:\\w+\\/[\\w\\-\\.]+)(?:;(?:charset=[\\w\\-]{1,18}|boundary=[\\w\\-]+)?)?$" against "REQUEST_HEADERS:Content-Type" required

Hope this is what I needed to post.

Offline SergeiP

  • Moderator
  • Comodo Family Member
  • *****
  • Posts: 94
Re: False-Positive report thread
« Reply #230 on: November 29, 2017, 10:01:49 AM »
Hi lord alibaski, you don't need to post rule, the id will be enought.
Please check if  your mod_security.conf has such settings

    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial

for obtaining modsec_audit.log which contains data:

Code: [Select]
[10/Nov/2017:15:39:27 +0000] WgXIL38AAAEAAEb7NVoAAAAA 10.0.2.2 50094 10.0.2.15 5080
--815f575b-B--
POST /mahara-17.04.1/htdocs/artefact/internal/index.php HTTP/1.1
Host: 10.8.4.2:5080
User-Agent: curl/7.56.1
Accept: */*
Cookie: mahara=bd7b6f93437c30c83fe9291c95d47a5dc64dd313a8efb0a915299b14e9ce2783
Content-Length: 493
Content-Type: application/x-www-form-urlencoded

--815f575b-C--
firstname=Admin%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&lastname=User%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E&studentid=&preferredname=%3Cscript%3Ealert%283%29%3B%3C%2Fscript%3E&introduction=&email_selected=ansa%40localhost&email_valid%5B%5D=ansa%40localhost&officialwebsite=&personalwebsite=&blogaddress=&address=&town=&city=&country=&homenumber=&businessnumber=&mobilenumber=&faxnumber=&occupation=&industry=&submit=Processing+...&fs=aboutme&sesskey=I1xz5Fo4bs72pfu3&pieform_profileform=
--815f575b-F--
HTTP/1.1 403 Forbidden
Content-Length: 251
Connection: close
Content-Type: text/html; charset=iso-8859-1

--815f575b-E--

--815f575b-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i)([<\xef\xbc\x9c]script[^>\xef\xbc\x9e]*[>\xef\xbc\x9e][\\s\\S]*?)" at ARGS:firstname. [file "/usr/local/cwaf/rules/08_XSS_XSS.conf"] [line "14"] [id "212000"] [rev "3"] [msg "COMODO WAF: XSS Filter - Category 1: Script Tag Vector||10.8.4.2:5080|F|2"] [data "Matched Data: <script> found within ARGS:firstname: Admin<script>alert(1);</script>"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Stopwatch: 1510328367568352 42562 (- - -)
Stopwatch2: 1510328367568352 42562; combined=37219, p1=12867, p2=23752, p3=0, p4=0, p5=492, sr=926, sw=108, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache/2.4.4 (Unix)
Engine-Mode: "ENABLED"
You can hide sensitive data like
Code: [Select]
Host: 10.8.4.2:5080
your log
Code: [Select]
Request:   GET /
Action Description:   Access denied with code 403 (phase 2).
Justification:   Match of "rx ^(?:\\w+\\/[\\w\\-\\.]+)(?:;(?:charset=[\\w\\-]{1,18}|boundary=[\\w\\-]+)?)?$" against "REQUEST_HEADERS:Content-Type" required
refers to ruleid 243930 but this rule leave message
Code: [Select]
COMODO WAF: Remote code execution in Apache Struts versions 2.3.31 - 2.3.5 and 2.5 - 2.5.10 (CVE-2017-5638)
Are you sure that you use CWAF ruleset?

POST request without request body to proteced host
Code: [Select]
/index.php?action=post2;start=0;msg=50310;eb6c3d7af24=89ab22e1f6b8290ed75a236b24396dee;board=4
doesn't cause 403.
If you use whm + Comodo WAF plugin then you able to disable single rule.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek