I just installed mod_security on my Apache2 web server.
I activated all of the base_rules/
from OWASP CRS.
I found a false positive by looking inside of /var/log/apache2/modsec_audit.log
.
The target URL is:
/mobile//index.cfm?gclid=Cj0KEQjw_qW9BRCcv-Xc5Jn-26gBEiQAM-iJhcydtemGoKm4rCJ7gbEgz5qL-MXF0tMh5BkaxVPZPYwaAvhW8P8HAQ
The error log is:
Message: Warning. Pattern match "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\\xc2\xb4\\xe2\x80\x99\\xe2\x80\x98\`\<\>].*?){4,}" at ARGS:gclid. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:gclid: Cj0KEQjw_qW9BRCcv-Xc5Jn-26gBEiQAM-iJhcydtemGoKm4rCJ7gbEgz5qL-MXF0tMh5BkaxVPZPYwaAvhW8P8HAQ"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=1, XSS=0): Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"]
The message is self-explaining but... that is not a malicious URL, for my website.
How can I 'whitelist' this kind of URLs (e.g. containing gclid parameter) instead of completely disabling rule 981203?
You could add this config after you've defined the other rules:
However I see a lot of false positives with this rule so often turn it off completely. The OWASP CRS is prone to over alerting and requires a lot of tuning.
See this post for other suggested common rule tweaks: Modsecurity: Excessive false positives