Shell false positives for rules 932260 and 932236 #3631
Description
Description
I've encountered some shell false positives for 932260 (PL1) , 932236 and 932239 (PL2) for commands like sudo, df, fd, and grc.
Some of these I'm obviously familiar with, but others like 'fd' or 'grc' I've never come across before. I'm not sure exactly what they are or how commonly they may be used in attacks/information leakage, or how relaxed is even appropriate. Would it be acceptable for 'sudo' to be broken out into sudo@ and sudoedit, sudoreplay, etc, fd to fd@, df to df@. I'd think this would be ok, but I also don't know if there are additional commands that these substrings were intended to match on. And more generally should these lists be revisited to ensure the matches are concise enough? I feel like there's some potential for additional FPs on unix-shell-upto3.ra and even some of the 4 character words on unix-shell-4andup.ra (expr, sched, uniq).
I didn't include any examples for grc. It just happens to match on the first 3 characters of a cookie prefix we use for a site and I've taken care of those individually. Just thought it was worth mentioning due to my unfamiliarity and the general questions.
How to reproduce the misbehavior (-> curl call)
932260 - PL1 on 'sudo' in REQUEST_COOKIES:fpestid
curl -H "x-format-output: txt-matched-rules" --cookie "fpestid=SUDoLongRandomString" https://sandbox.coreruleset.org/
932260 PL1 Remote Command Execution: Direct Unix Command Execution
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)
-
[Mon Feb 26 20:14:58.290634 2024] [:error] [pid 32480] [client 1.2.3.4:56492] [client 1.2.3.4] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i)(?:^|b[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?-@_a-\\\\{]*)?\\\\x5c?u[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?-@_a-\\\\{]*)?\\\\x5c?s[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9 ..." at REQUEST_COOKIES:fpestid. [file "crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "498"] [id "932260"] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: SUDo found within REQUEST_COOKIES:fpestid: SUDoLongRandomString"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.1-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "www.example.com"] [uri "/abc/"] [unique_id "Zd1ForZabQ9-ap78Ly4PHQAAAAs"], referer: https://www.example.com/xyz/
932236 - PL2 on 'df', 'fd', in ARGS (uniqid, uuid, or hex type values)
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level: 2" "https://sandbox.coreruleset.org/get?abc=dfc987c2-72e2-4a8e-ad98-e0bf1bc3a01c"
932236 PL2 Remote Command Execution: Unix Command Injection (command without evasion)
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=0-5-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)
-
[Sat Mar 23 18:36:57.137426 2024] [:error] [pid 30042] [client 1.2.3.4:53294] [client 1.2.3.4] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i)(?:^|b[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?u[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?s[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_ ..." at ARGS:abc. [file "crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1368"] [id "932236"] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: df found within ARGS:abc: dfc987c2-72e2-4a8e-ad98-e0bf1bc3a01c"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.1-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "www.example.com"] [uri "/xyz/"] [unique_id "Zf9nmYvL5W2kWBKkT1JMpQAAAAI"]
and REQUEST_COOKIES (ids, hex values, etc)
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level: 2" --cookie "abc=fd01bfcfdbe02" https://sandbox.coreruleset.org/
932236 PL2 Remote Command Execution: Unix Command Injection (command without evasion)
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=0-5-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)
-
[Sat Mar 23 06:18:31.906424 2024] [:error] [pid 208032] [client 1.2.3.4:36324] [client 1.2.3.4] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i)(?:^|b[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?u[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?s[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_ ..." at REQUEST_COOKIES:abc. [file "crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1368"] [id "932236"] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: fd found within REQUEST_COOKIES:abc: fd01bfcfdbe02"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.1-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "www.example.com"] [uri "/xyz/"] [unique_id "Zf66hyl54eZv1SgtgUHGRQAAAA0"], referer: https://www.example.com/
932239 - PL2 for REQUEST_HEADERS:Referer
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level: 2" --referer "https://sandbox.coreruleset.org/get?abc=dfc987c2-72e2-4a8e-ad98-e0bf1bc3a01c" https://sandbox.coreruleset.org/
932239 PL2 Remote Command Execution: Unix Command Injection found in user-agent or referer header
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=0-5-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)
-
[Sat Mar 23 19:55:03.716728 2024] [:error] [pid 6278] [client 1.2.3.4:38730] [client 1.2.3.4] ModSecurity: Access denied with code 403 (phase 1). Pattern match "(?i)(?:^|b[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?u[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?s[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_ ..." at REQUEST_HEADERS:Referer. [file "crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1430"] [id "932239"] [msg "Remote Command Execution: Unix Command Injection found in user-agent or referer header"] [data "Matched Data: =fd found within REQUEST_HEADERS:Referer: https://www.example.com/xyz/?abc=dfc987c2-72e2-4a8e-ad98-e0bf1bc3a01c"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.1-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "www.example.com"] [uri "/news/"] [unique_id "Zf9556f1ZVkt2o@NOscW7gAAABc"], referer: https://www.example.com/xyz/
Your Environment
- CRS version (e.g., v3.3.4): 4.0.1-dev
- Paranoia level setting (e.g. PL1) : PL1+ (can change dynamically based on geolocation, rbl scores, etc)
- ModSecurity version (e.g., 2.9.6): 2.9.7-1+b1
- Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): Apache 2.4.57-2
- Operating System and version: Debian 12
Confirmation
[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.