Hi John,
Found this question of the Modsecurity forum - note that I did not find an answer
!
With reference to the question below, note emoticons on page 3 of this thread. I hope it is of some use?
............................
I've got a problem with modsecurity, modsecurity-crs and a little
nasty unicode-symbol, the "MASCULINE ORDINAL INDICATOR" or in short: º
http://codepoints.net/U+00BA?lang=en
This nasty symbol causes multiple sql-injection rules:
Message: Pattern match
"(?i
?:,.*?[)\\da-f\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98](?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|\\Z|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+))|(?:\\Wselect.+\\W*?from)|((?
..." at ARGS:address[street]. [file
"/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "209"] [id "981257"] [msg "Detects MySQL
comment-/space-obfuscated injections and backtick termination"] [data
"Matched Data: , n\xc2\xba 1, 1\xc2\xba - 1 found within
ARGS:address[street]: C/ Mare de D\xc3\xa9u del Corredor, n\xc2\xba 1,
1\xc2\xba - 1\xc2\xaa"] [severity "CRITICAL"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
Message: Pattern match
"(?i
?:union\\s*?(?:all|distinct|[(! <at> ]*?)?\\s*?[([]*?\\s*?select\\s+)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4
..." at ARGS:address[street]. [file
"/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "223"] [id "981245"] [msg "Detects basic SQL authentication
bypass attempts 2/3"] [data "Matched Data: \xc2\xba 1, 1 found within
ARGS:address[street]: C/ Mare de D\xc3\xa9u del Corredor, n\xc2\xba 1,
1\xc2\xba - 1\xc2\xaa"] [severity "CRITICAL"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
Message: Pattern match
"(?i
?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*.+(?
?or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor
..." at ARGS:address[street]. [file
"/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "245"] [id "981243"] [msg "Detects classic SQL injection
probings 2/2"] [data "Matched Data: \xc2\xba 1 found within
ARGS:address[street]: C/ Mare de D\xc3\xa9u del Corredor, n\xc2\xba 1,
1\xc2\xba - 1\xc2\xaa"] [severity "CRITICAL"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
I've configured
SecUnicodeCodePage 20127
SecUnicodeMapFile /etc/modsecurity/unicode.mapping
and the rules are using t:urlDecodeUni but there are still these
audit-events. I have no clue why, could someone help me with this?