Rule 942100 - filter by libinjection fingerprints
10 views
Skip to first unread message
AW
Oct 19, 2022, 5:31:32 AM10/19/22
to ModSecurity Core Rule Set project
Hi,
i am using mod_sec and getting some false positives from the SQL-Injection rule thats using libinjection:
ModSecurity: Warning. detected SQLi using libinjection with fingerprint '1c'
I would like to keep the rule but ignore the fingerprint 1c from the results, so that this rule lets the request pass.
How can this behaviour achived??
Ervin Hegedüs
Oct 19, 2022, 6:07:30 AM10/19/22
to AW, ModSecurity Core Rule Set project
Hi AW,
On Wed, Oct 19, 2022 at 02:31:32AM -0700, AW wrote:
> Hi,
>
> i am using mod_sec and getting some false positives from the SQL-Injection
> rule thats using libinjection:
>
> ModSecurity: Warning. detected SQLi using libinjection with fingerprint '1c'
Thanks for submitting and sorry for your inconvenience.
Unfortunately, you are facing a false positive in the LibInjection library
that we are leveraging. You are not the first to report such an issue and
we are also aware that LibInjection has become largely unmaintained, so
you are a bit at a loss here.
Instead, you need to help yourself by writing one or more rule exclusions
that are specific to your setup.
If you are not familiar with this technique then take a look at the
https://www.netnea.com/cms/apache-tutorials/ that covers handling
false positives.
> I would like to keep the rule but ignore the fingerprint 1c from the
> results, so that this rule lets the request pass.
>
> How can this behaviour achived??
Especially, you can make an exclusion only for a specific
target (it depends on your request), eg ARGS:formname.
Please note that we also provide rule exclusion packages for selected
off-the-shelf software at Paranoia Level 1 and Paranoia Level 2. These
can be activated by editing `crs-setup.conf` or by enabling them on the
platform you are using.
Regards,
Ervin,
in behalf of CRS Dev-on-Duty
On Wed, Oct 19, 2022 at 02:31:32AM -0700, AW wrote:
> Hi,
>
> i am using mod_sec and getting some false positives from the SQL-Injection
> rule thats using libinjection:
>
> ModSecurity: Warning. detected SQLi using libinjection with fingerprint '1c'
Unfortunately, you are facing a false positive in the LibInjection library
that we are leveraging. You are not the first to report such an issue and
we are also aware that LibInjection has become largely unmaintained, so
you are a bit at a loss here.
Instead, you need to help yourself by writing one or more rule exclusions
that are specific to your setup.
If you are not familiar with this technique then take a look at the
https://www.netnea.com/cms/apache-tutorials/ that covers handling
false positives.
> I would like to keep the rule but ignore the fingerprint 1c from the
> results, so that this rule lets the request pass.
>
> How can this behaviour achived??
target (it depends on your request), eg ARGS:formname.
Please note that we also provide rule exclusion packages for selected
off-the-shelf software at Paranoia Level 1 and Paranoia Level 2. These
can be activated by editing `crs-setup.conf` or by enabling them on the
platform you are using.
Regards,
Ervin,
in behalf of CRS Dev-on-Duty
Reply all
Reply to author
Forward
0 new messages