Skip to content

Rule 932240 google analytics GS2 false positive #4134

New issue
New issue
Closed
#4151
Closed
Rule 932240 google analytics GS2 false positive#4134
#4151
Labels
➕ False Positive
@T-Stolf

Description

@T-Stolf
T-Stolf
opened on May 16, 2025

Description

Rule 932240 is falsely flagging google analytics cookies in the GS2 format for evasion detection on account of regex matching $+[!#*-0-9?@\x5c_a{]+ to the new cookie format with '$' separators instead of '.' separators.

How to reproduce the misbehavior (-> curl call)

N/A

Logs

This is a sample of the logs today with the indicated issue (from modsec_audit.log)

---bO5kkteJ---A--
[16/May/2025:09:XX:XX -0400] XXXX
---bO5kkteJ---B--
GET /XXXX HTTP/2.0
if-modified-since: Mon, 30 Sep 2024 18:XX:XX GMT
sec-ch-ua-mobile: ?0
accept: text/css,*/*;q=0.1
sec-ch-ua: "Microsoft Edge";v="135", "Not-A.Brand";v="8", "Chromium";v="135"
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0
if-none-match: XX
sec-ch-ua-platform: "Windows"
referer: https://XX
sec-fetch-dest: style
sec-fetch-mode: no-cors
host: XX
accept-encoding: gzip, deflate, br, zstd
cookie: _ga=GA1.1.859495864.1741097619; _ga_SM37QL5J42=GS2.1.s1747402925$o58$g1$t1747403211$j0$l0$h0
accept-language: en-US,en;q=0.9
priority: u=0

---bO5kkteJ---F--
HTTP/2.0 304
Server: nginx
Date: Fri, 16 May 2025 13:XX:XX GMT
Last-Modified: Mon, 30 Sep 2024 18:XX:XX GMT
Connection: close
Cache-Control: max-age=60
ETag: XX
X-Cache-Status: BYPASS
Strict-Transport-Security: max-age=15768000; includeSubDomains

---bO5kkteJ---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `GS2.1.s1747402925$o58$g1$t1747403211$j0$l0$h0' ) [file "/XX/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1184"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: s1747402925$o58 found within REQUEST_COOKIES:_ga_SM37QL5J42: GS2.1.s1747402925$o58$g1$t1747403211$j0$l0$h0"] [severity "2"] [ver "OWASP_CRS/4.12.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "XX"] [uri "/XX.css"] [unique_id "174740276720.056717"] [ref "o6,15v836,45v882,1v882,1v882,1v882,1v882,1v882,1v882,1v882,1v882,1v882,1v882,1v882,1v882,1v882,1v882,1v882,1v882,1v882,1v882,1v882,1v882,0v882,3v882,1v882,1v882,3v882,3v882,52v882,17v882,16v882,6v882, (352 characters omitted)"]

---bO5kkteJ---Z--

---hmKBZNNB---A--
[16/May/2025:09:XX:XX -0400] XXXX
---hmKBZNNB---B--
GET /XXXX HTTP/2.0
if-modified-since: Thu, 15 May 2025 16:XX:XX GMT
sec-ch-ua-mobile: ?0
accept: */*
sec-ch-ua: "Microsoft Edge";v="135", "Not-A.Brand";v="8", "Chromium";v="135"
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0
if-none-match: "682616a3-3509"
sec-ch-ua-platform: "Windows"
referer: https://XX
sec-fetch-dest: script
sec-fetch-mode: no-cors
host: XX
accept-encoding: gzip, deflate, br, zstd
cookie: _ga=GA1.1.859495864.1741097619; _ga_SM37QL5J42=GS2.1.s1747402925$o58$g1$t1747403211$j0$l0$h0
accept-language: en-US,en;q=0.9
priority: u=1

---hmKBZNNB---F--
HTTP/2.0 304
Server: nginx
Date: Fri, 16 May 2025 13:XX:XXGMT
Last-Modified: Thu, 15 May 2025 16:XX:XX GMT
Connection: close
Cache-Control: max-age=60
ETag: XX
X-Cache-Status: BYPASS
Strict-Transport-Security: max-age=15768000; includeSubDomains

---hmKBZNNB---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `GS2.1.s1747402925$o58$g1$t1747403211$j0$l0$h0' ) [file "/XX/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1184"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: s1747402925$o58 found within REQUEST_COOKIES:_ga_SM37QL5J42: GS2.1.s1747402925$o58$g1$t1747403211$j0$l0$h0"] [severity "2"] [ver "OWASP_CRS/4.12.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "XX"] [uri "XX.js"] [unique_id "174740276776.500951"] [ref "o6,15v746,45v792,1v792,1v792,1v792,1v792,1v792,1v792,1v792,1v792,1v792,1v792,1v792,1v792,1v792,1v792,1v792,1v792,1v792,1v792,1v792,1v792,0v792,3v792,1v792,1v792,3v792,3v792,21v792,17v792,16v792,6v792, (352 characters omitted)"]

---hmKBZNNB---Z--

---FBi25l8w---A--
[16/May/2025:09:XX:XX -0400] XXXX
---FBi25l8w---B--
GET XXXX HTTP/2.0
if-modified-since: Tue, 25 Feb 2025 09:XX:XX GMT
sec-ch-ua-mobile: ?0
accept: */*
sec-ch-ua: "Microsoft Edge";v="135", "Not-A.Brand";v="8", "Chromium";v="135"
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0
if-none-match: "67bd8bd5-5778"
sec-ch-ua-platform: "Windows"
referer: https://XX
sec-fetch-dest: script
sec-fetch-mode: no-cors
host: unityhealth.to
accept-encoding: gzip, deflate, br, zstd
cookie: _ga=GA1.1.859495864.1741097619; _ga_SM37QL5J42=GS2.1.s1747402925$o58$g1$t1747403211$j0$l0$h0
accept-language: en-US,en;q=0.9
priority: u=1

---FBi25l8w---F--
HTTP/2.0 304
Server: nginx
Date: Fri, 16 May 2025 13:XX:XX GMT
Last-Modified: Tue, 25 Feb 2025 09:XX:XX GMT
Connection: close
Cache-Control: max-age=60
ETag: "67bd8bd5-5778"
X-Cache-Status: BYPASS
Strict-Transport-Security: max-age=15768000; includeSubDomains

---FBi25l8w---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `[0-9]\s*\'\s*[0-9]' against variable `MATCHED_VAR' (Value: `GS2.1.s1747402925$o58$g1$t1747403211$j0$l0$h0' ) [file "XX/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1184"] [id "932240"] [rev ""] [msg "Remote Command Execution: Unix Command Injection evasion attempt detected"] [data "Matched Data: s1747402925$o58 found within REQUEST_COOKIES:_ga_SM37QL5J42: GS2.1.s1747402925$o58$g1$t1747403211$j0$l0$h0"] [severity "2"] [ver "OWASP_CRS/4.12.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "XX"] [uri "XX.js"] [unique_id "174740276764.473744"] [ref "o6,15v767,45v813,1v813,1v813,1v813,1v813,1v813,1v813,1v813,1v813,1v813,1v813,1v813,1v813,1v813,1v813,1v813,1v813,1v813,1v813,1v813,1v813,0v813,3v813,1v813,1v813,3v813,3v813,16v813,17v813,16v813,6v813, (352 characters omitted)"]

---FBi25l8w---Z--

Your Environment

  • CRS version (e.g., v3.3.4): OWASP CRS ver.4.12.0
  • Paranoia level setting (e.g. PL1) : PL2
  • ModSecurity version (e.g., 2.9.6): ModSecurity 3.0
  • Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54):
  • Operating System and version:
    Ubuntu 22.04.5 LTS

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ➕ False Positive

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions