Most Frequent False Positives Triggered by OWASP ModSecurity Core Rules 2.2.X


[UPDATE: There is a separate tutorial about the Handling of False Positives (This article here is mostly about statistical data).]

ModSecurity – or any WAF for that matter – produces false positives. If it does not produce false positives, then it’s probably dead. A strict ruleset like the OWASP ModSecurity Core Rules brings a lot of false positives and it takes some tuning to get to a reasonable level of alerts. If you have tuned a few services, then some of the rules will become familiar to you. But which ones are these rules?

We are in the process of developing a paranoia mode for the OWASP ModSecurity Core Rules. The idea is to move certain rules into an optional section, which would only run when enabled. The idea is to reduce false positives this way for the default installation – but keep them available for the experienced administrator. In fact, the current development tree of the core rules comes without a lot of these overzealous rules. This post brings some data about the rules in the 2.2.X releases and how often me or my customers have encountered false positives.

The data is based on over 100 services of very heterogeneous character. There is a lot of b2b enterprise software, but also b2c sites, webmail sites, wikis, you name it. What I did was looking for tuning rules or ignore rules; that is rules that make false positives go away. I grepped over all the configs and summed up the results.

So this is no hard science: Many different sites generated a lot of false positives. A dozen of admins wrote tuning rules in a variety of styles. Some of the services were tightly covered, others only in a lose way. And then I summed it all up, putting small and big services together; nevermind the differences between them. So this has to be taken with a substantial grain of salt. I am sure one could come up with better data. But I have not seen any public coverage of the topic. So this is a start and I invite you to present your stats as well.

Here we go with my stats: I have covered the base rules of the OWASP ModSecurity Core Rules and assigned the rules into four distinct groups:

  • none or hardly any false positives (184 rules)
  • few false positives (40 rules)
  • frequent false positives (18 rules)
  • very frequent false positives (11 rules)

There is a fifth group with auxilary rules, which are not always logged and where the idea of false positives does not really make sense (31 rules).

Here are the individual rules and in which group they fall; all sorted by rule id:

Rule ID Description / Message False Positives Frequency
950001 SQL Injection Attack frequent false positives
950002 System Command Access few false positives
950005 Remote File Access Attempt few false positives
950006 System Command Injection few false positives
950007 Blind SQL Injection Attack few false positives
950008 Injection of Undocumented ColdFusion Tags few false positives
950009 Session Fixation Attack few false positives
950010 LDAP Injection Attack few false positives
950011 SSI injection Attack hardly any false positives
950018 Universal PDF XSS URL Detected. hardly any false positives
950019 Email Injection Attack hardly any false positives
950103 Path Traversal Attack hardly any false positives
950107 URL Encoding Abuse Attack Attempt hardly any false positives
950109 Multiple URL Encoding Detected frequent false positives
950110 Backdoor access hardly any false positives
950116 Unicode Full/Half Width Abuse Attack Attempt hardly any false positives
950117 Remote File Inclusion Attack hardly any false positives
950118 Remote File Inclusion Attack hardly any false positives
950119 Remote File Inclusion Attack hardly any false positives
950120 Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link hardly any false positives
950801 UTF8 Encoding Abuse Attack Attempt hardly any false positives
950901 SQL Injection Attack: SQL Tautology Detected. very frequent false positives
950907 System Command Injection frequent false positives
950908 SQL Injection Attack. hardly any false positives
950910 HTTP Response Splitting Attack hardly any false positives
950911 HTTP Response Splitting Attack few false positives
950921 Backdoor access hardly any false positives
950922 Backdoor access hardly any false positives
958000 Cross-site Scripting (XSS) Attack hardly any false positives
958001 Cross-site Scripting (XSS) Attack hardly any false positives
958002 Cross-site Scripting (XSS) Attack hardly any false positives
958003 Cross-site Scripting (XSS) Attack hardly any false positives
958004 Cross-site Scripting (XSS) Attack hardly any false positives
958005 Cross-site Scripting (XSS) Attack hardly any false positives
958006 Cross-site Scripting (XSS) Attack hardly any false positives
958007 Cross-site Scripting (XSS) Attack hardly any false positives
958008 Cross-site Scripting (XSS) Attack hardly any false positives
958009 Cross-site Scripting (XSS) Attack hardly any false positives
958010 Cross-site Scripting (XSS) Attack hardly any false positives
958011 Cross-site Scripting (XSS) Attack hardly any false positives
958012 Cross-site Scripting (XSS) Attack hardly any false positives
958013 Cross-site Scripting (XSS) Attack hardly any false positives
958016 Cross-site Scripting (XSS) Attack hardly any false positives
958017 Cross-site Scripting (XSS) Attack hardly any false positives
958018 Cross-site Scripting (XSS) Attack hardly any false positives
958019 Cross-site Scripting (XSS) Attack hardly any false positives
958020 Cross-site Scripting (XSS) Attack hardly any false positives
958022 Cross-site Scripting (XSS) Attack hardly any false positives
958023 Cross-site Scripting (XSS) Attack hardly any false positives
958024 Cross-site Scripting (XSS) Attack hardly any false positives
958025 Cross-site Scripting (XSS) Attack hardly any false positives
958026 Cross-site Scripting (XSS) Attack hardly any false positives
958027 Cross-site Scripting (XSS) Attack hardly any false positives
958028 Cross-site Scripting (XSS) Attack hardly any false positives
958030 Cross-site Scripting (XSS) Attack few false positives
958031 Cross-site Scripting (XSS) Attack hardly any false positives
958032 Cross-site Scripting (XSS) Attack hardly any false positives
958033 Cross-site Scripting (XSS) Attack hardly any false positives
958034 Cross-site Scripting (XSS) Attack hardly any false positives
958036 Cross-site Scripting (XSS) Attack hardly any false positives
958037 Cross-site Scripting (XSS) Attack hardly any false positives
958038 Cross-site Scripting (XSS) Attack hardly any false positives
958039 Cross-site Scripting (XSS) Attack hardly any false positives
958040 Cross-site Scripting (XSS) Attack hardly any false positives
958041 Cross-site Scripting (XSS) Attack hardly any false positives
958045 Cross-site Scripting (XSS) Attack hardly any false positives
958046 Cross-site Scripting (XSS) Attack hardly any false positives
958047 Cross-site Scripting (XSS) Attack hardly any false positives
958049 Cross-site Scripting (XSS) Attack hardly any false positives
958051 Cross-site Scripting (XSS) Attack few false positives
958052 Cross-site Scripting (XSS) Attack few false positives
958054 Cross-site Scripting (XSS) Attack hardly any false positives
958056 Cross-site Scripting (XSS) Attack hardly any false positives
958057 Cross-site Scripting (XSS) Attack hardly any false positives
958059 Cross-site Scripting (XSS) Attack hardly any false positives
958230 Range: Invalid Last Byte Value. hardly any false positives
958231 Range: Too many fields hardly any false positives
958291 Range: field exists and begins with 0. few false positives
958295 Multiple/Conflicting Connection Header Data Found. hardly any false positives
958404 Cross-site Scripting (XSS) Attack hardly any false positives
958405 Cross-site Scripting (XSS) Attack hardly any false positives
958406 Cross-site Scripting (XSS) Attack hardly any false positives
958407 Cross-site Scripting (XSS) Attack hardly any false positives
958408 Cross-site Scripting (XSS) Attack hardly any false positives
958409 Cross-site Scripting (XSS) Attack hardly any false positives
958410 Cross-site Scripting (XSS) Attack hardly any false positives
958411 Cross-site Scripting (XSS) Attack hardly any false positives
958412 Cross-site Scripting (XSS) Attack hardly any false positives
958413 Cross-site Scripting (XSS) Attack hardly any false positives
958414 Cross-site Scripting (XSS) Attack hardly any false positives
958415 Cross-site Scripting (XSS) Attack hardly any false positives
958416 Cross-site Scripting (XSS) Attack hardly any false positives
958417 Cross-site Scripting (XSS) Attack hardly any false positives
958418 Cross-site Scripting (XSS) Attack hardly any false positives
958419 Cross-site Scripting (XSS) Attack hardly any false positives
958420 Cross-site Scripting (XSS) Attack hardly any false positives
958421 Cross-site Scripting (XSS) Attack hardly any false positives
958422 Cross-site Scripting (XSS) Attack hardly any false positives
958423 Cross-site Scripting (XSS) Attack hardly any false positives
958976 PHP Injection Attack hardly any false positives
958977 PHP Injection Attack hardly any false positives
959070 SQL Injection Attack frequent false positives
959071 SQL Injection Attack frequent false positives
959072 SQL Injection Attack frequent false positives
959073 SQL Injection Attack very frequent false positives
959151 PHP Injection Attack hardly any false positives
960000 Attempted multipart/form-data bypass few false positives
960006 Empty User Agent Header hardly any false positives
960007 Empty Host Header hardly any false positives
960008 Request Missing a Host Header hardly any false positives
960009 Request Missing a User Agent Header few false positives
960010 Request content type is not allowed by policy few false positives
960011 GET or HEAD Request with Body Content hardly any false positives
960012 POST request missing Content-Length Header hardly any false positives
960014 Proxy access attempt hardly any false positives
960015 Request Missing an Accept Header very frequent false positives
960016 Content-Length HTTP header is not numeric hardly any false positives
960017 Host header is a numeric IP address very frequent false positives
960018 Invalid character in request hardly any false positives
960020 Pragma Header requires Cache-Control Header for HTTP/1.1 requests. hardly any false positives
960021 Request Has an Empty Accept Header hardly any false positives
960022 Expect Header Not Allowed for HTTP 1.0 hardly any false positives
960024 Meta-Character Anomaly Detection Alert – Repetative Non-Word Characters very frequent false positives
960032 Method is not allowed by policy hardly any false positives
960034 HTTP protocol version is not allowed by policy hardly any false positives
960035 URL file extension is restricted by policy frequent false positives
960038 HTTP header is restricted by policy hardly any false positives
960208 Argument value too long hardly any false positives
960209 Argument name too long hardly any false positives
960335 Too many arguments in request hardly any false positives
960341 Total arguments size exceeded hardly any false positives
960342 Uploaded file size too large hardly any false positives
960343 Total uploaded files size too large hardly any false positives
960901 Invalid character in request hardly any false positives
960902 Invalid Use of Identity Encoding hardly any false positives
960904 Request Containing Content, but Missing Content-Type header hardly any false positives
960911 Invalid HTTP Request Line hardly any false positives
960912 Failed to parse request body hardly any false positives
960913 Invalid request hardly any false positives
960914 Multipart request body failed strict validation hardly any false positives
960915 Multipart parser detected a possible unmatched boundary hardly any false positives
970002 Statistics Information Leakage hardly any false positives
970003 SQL Information Leakage hardly any false positives
970004 IIS Information Leakage hardly any false positives
970007 Zope Information Leakage hardly any false positives
970008 Cold Fusion Information Leakage hardly any false positives
970009 PHP Information Leakage hardly any false positives
970010 ISA server existence revealed hardly any false positives
970011 File or Directory Names Leakage hardly any false positives
970012 Microsoft Office document properties leakage hardly any false positives
970013 Directory Listing hardly any false positives
970014 ASP/JSP source code leakage hardly any false positives
970015 PHP source code leakage hardly any false positives
970016 Cold Fusion source code leakage hardly any false positives
970018 IIS installed in default location hardly any false positives
970021 WebLogic information disclosure hardly any false positives
970118 The application is not available hardly any false positives
970901 The application is not available few false positives
970902 PHP source code leakage hardly any false positives
970903 ASP/JSP source code leakage few false positives
970904 IIS Information Leakage hardly any false positives
973300 Possible XSS Attack Detected – HTML Tag Handler frequent false positives
973301 XSS Attack Detected hardly any false positives
973302 XSS Attack Detected few false positives
973303 XSS Attack Detected hardly any false positives
973304 XSS Attack Detected few false positives
973305 XSS Attack Detected few false positives
973306 XSS Attack Detected few false positives
973307 XSS Attack Detected few false positives
973308 XSS Attack Detected few false positives
973309 XSS Attack Detected hardly any false positives
973310 XSS Attack Detected few false positives
973311 XSS Attack Detected hardly any false positives
973312 XSS Attack Detected hardly any false positives
973313 XSS Attack Detected hardly any false positives
973314 XSS Attack Detected hardly any false positives
973315 IE XSS Filters – Attack Detected. hardly any false positives
973316 IE XSS Filters – Attack Detected. few false positives
973317 IE XSS Filters – Attack Detected. hardly any false positives
973318 IE XSS Filters – Attack Detected. hardly any false positives
973319 IE XSS Filters – Attack Detected. hardly any false positives
973320 IE XSS Filters – Attack Detected. hardly any false positives
973321 IE XSS Filters – Attack Detected. hardly any false positives
973322 IE XSS Filters – Attack Detected. hardly any false positives
973323 IE XSS Filters – Attack Detected. hardly any false positives
973324 IE XSS Filters – Attack Detected. hardly any false positives
973325 IE XSS Filters – Attack Detected. hardly any false positives
973326 IE XSS Filters – Attack Detected. hardly any false positives
973327 IE XSS Filters – Attack Detected. hardly any false positives
973328 IE XSS Filters – Attack Detected. hardly any false positives
973329 IE XSS Filters – Attack Detected. few false positives
973330 IE XSS Filters – Attack Detected. hardly any false positives
973331 IE XSS Filters – Attack Detected. few false positives
973332 IE XSS Filters – Attack Detected. frequent false positives
973333 IE XSS Filters – Attack Detected. frequent false positives
973334 IE XSS Filters – Attack Detected. few false positives
973335 IE XSS Filters – Attack Detected. few false positives
973336 XSS Filter – Category 1: Script Tag Vector hardly any false positives
973337 XSS Filter – Category 2: Event Handler Vector hardly any false positives
973338 XSS Filter – Category 3: Javascript URI Vector few false positives
973344 IE XSS Filters – Attack Detected. few false positives
973345 IE XSS Filters – Attack Detected. hardly any false positives
973346 IE XSS Filters – Attack Detected. hardly any false positives
973347 IE XSS Filters – Attack Detected. few false positives
973348 IE XSS Filters – Attack Detected. hardly any false positives
981000 Possibly malicious iframe tag in output hardly any false positives
981001 Possibly malicious iframe tag in output hardly any false positives
981003 Malicious iframe+javascript tag in output hardly any false positives
981004 Potential Obfuscated Javascript in Output – Excessive fromCharCode hardly any false positives
981005 Potential Obfuscated Javascript in Output – Eval+Unescape hardly any false positives
981006 Potential Obfuscated Javascript in Output – Unescape hardly any false positives
981007 Potential Obfuscated Javascript in Output – Heap Spray hardly any false positives
981018 Auxilary Rule does not apply
981020 Auxilary Rule does not apply
981021 Auxilary Rule does not apply
981022 Auxilary Rule does not apply
981133 Auxilary Rule does not apply
981134 Auxilary Rule does not apply
981136 Unnamed XSS Rule hardly any false positives
981172 Restricted SQL Character Anomaly Detection Alert – Total # of special characters exceeded very frequent false positives
981173 Restricted SQL Character Anomaly Detection Alert – Total # of special characters exceeded very frequent false positives
981175 Inbound Attack Targeting OSVDB Flagged Resource. hardly any false positives
981176 Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg} hardly any false positives
981177 Auxilary Rule does not apply
981178 Auxilary Rule does not apply
981200 Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): Last Matched Message: %{tx.msg} does not apply
981201 Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} – Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} – Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE}) does not apply
981202 Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} – Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE}) does not apply
981203 Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg} does not apply
981204 Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg} does not apply
981205 Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg} does not apply
981227 Apache Error: Invalid URI in Request hardly any false positives
981231 SQL Comment Sequence Detected. very frequent false positives
981240 Detects MySQL comments, conditions and ch(a)r injections frequent false positives
981241 Detects conditional SQL injection attempts few false positives
981242 Detects classic SQL injection probings 1/2 frequent false positives
981243 Detects classic SQL injection probings 2/2 very frequent false positives
981244 Detects basic SQL authentication bypass attempts 1/3 frequent false positives
981245 Detects basic SQL authentication bypass attempts 2/3 frequent false positives
981246 Detects basic SQL authentication bypass attempts 3/3 frequent false positives
981247 Detects concatenated basic SQL injection and SQLLFI attempts few false positives
981248 Detects chained SQL injection attempts 1/2 very frequent false positives
981249 Detects chained SQL injection attempts 2/2 frequent false positives
981250 Detects SQL benchmark and sleep injection attempts including conditional queries hardly any false positives
981251 Detects MySQL UDF injection and other data/structure manipulation attempts hardly any false positives
981252 Detects MySQL charset switch and MSSQL DoS attempts hardly any false positives
981253 Detects MySQL and PostgreSQL stored procedure/function injections hardly any false positives
981254 Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts hardly any false positives
981255 Detects MSSQL code execution and information gathering attempts few false positives
981256 Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections few false positives
981257 Detects MySQL comment-/space-obfuscated injections and backtick termination frequent false positives
981260 SQL Hex Encoding Identified very frequent false positives
981270 Finds basic MongoDB SQL injection attempts hardly any false positives
981272 Detects blind sqli tests using sleep() or benchmark(). hardly any false positives
981276 Looking for basic sql injection. Common attack string for mysql, oracle and others. hardly any false positives
981277 Looking for integer overflow attacks, these are taken from skipfish, except 2.2.90738585072007e-308 is the \”magic number\” crash hardly any false positives
981300 Auxilary Rule does not apply
981301 Auxilary Rule does not apply
981302 Auxilary Rule does not apply
981303 Auxilary Rule does not apply
981304 Auxilary Rule does not apply
981305 Auxilary Rule does not apply
981306 Auxilary Rule does not apply
981307 Auxilary Rule does not apply
981308 Auxilary Rule does not apply
981309 Auxilary Rule does not apply
981310 Auxilary Rule does not apply
981311 Auxilary Rule does not apply
981312 Auxilary Rule does not apply
981313 Auxilary Rule does not apply
981314 Auxilary Rule does not apply
981315 Auxilary Rule does not apply
981316 Auxilary Rule does not apply
981317 SQL SELECT Statement Anomaly Detection Alert few false positives
981318 SQL Injection Attack: Common Injection Testing Detected few false positives
981319 SQL Injection Attack: SQL Operator Detected frequent false positives
981320 SQL Injection Attack: Common DB Names Detected few false positives
990002 Request Indicates a Security Scanner Scanned the Site hardly any false positives
990012 Rogue web site crawler hardly any false positives
990901 Request Indicates a Security Scanner Scanned the Site hardly any false positives
990902 Request Indicates a Security Scanner Scanned the Site hardly any false positives

I think it is interesting to see, that most false positives are concentrated on a few dozens of rules. To ease things for the reader, here are the rules which frequently brought false positives:

Rule ID Description / Message False Positives Frequency
950001 SQL Injection Attack frequent false positives
950109 Multiple URL Encoding Detected frequent false positives
950907 System Command Injection frequent false positives
959070 SQL Injection Attack frequent false positives
959071 SQL Injection Attack frequent false positives
959072 SQL Injection Attack frequent false positives
960035 URL file extension is restricted by policy frequent false positives
973300 Possible XSS Attack Detected – HTML Tag Handler frequent false positives
973332 IE XSS Filters – Attack Detected. frequent false positives
973333 IE XSS Filters – Attack Detected. frequent false positives
981240 Detects MySQL comments, conditions and ch(a)r injections frequent false positives
981242 Detects classic SQL injection probings 1/2 frequent false positives
981244 Detects basic SQL authentication bypass attempts 1/3 frequent false positives
981245 Detects basic SQL authentication bypass attempts 2/3 frequent false positives
981246 Detects basic SQL authentication bypass attempts 3/3 frequent false positives
981249 Detects chained SQL injection attempts 2/2 frequent false positives
981257 Detects MySQL comment-/space-obfuscated injections and backtick termination frequent false positives
981319 SQL Injection Attack: SQL Operator Detected frequent false positives

And here are the rules which have even more false positives. The rules in this group had tuning rules in half if not more of the services I examined:

Rule ID Description / Message False Positives Frequency
950901 SQL Injection Attack: SQL Tautology Detected. very frequent false positives
959073 SQL Injection Attack very frequent false positives
960015 Request Missing an Accept Header very frequent false positives
960017 Host header is a numeric IP address very frequent false positives
960024 Meta-Character Anomaly Detection Alert – Repetative Non-Word Characters very frequent false positives
981172 Restricted SQL Character Anomaly Detection Alert – Total # of special characters exceeded very frequent false positives
981173 Restricted SQL Character Anomaly Detection Alert – Total # of special characters exceeded very frequent false positives
981231 SQL Comment Sequence Detected. very frequent false positives
981243 Detects classic SQL injection probings 2/2 very frequent false positives
981248 Detects chained SQL injection attempts 1/2 very frequent false positives
981260 SQL Hex Encoding Identified very frequent false positives

Not surprisingly, dear friends like 960024, 981172, 981173 and 981260 ended up here. The plan is to help them make their way into the 3.0.0 core rules release with the help of the paranoia mode, as they are all gone as of this writing. The following rules from the list above are gone from the development release: 959070,959071,959072,959073,960024,973300,973332,973333,981172,981173,981231 and 981260.

The discussion about these rules and their proper place is being carried out on the core rules mailinglist. If you have any comments, then please get back to me or join the discussion there.

 

Christian Folini

[EDIT] @tunetheweb sent in word about his summary of rule tunings at stackoverflow.
Removed duplicate rule ids 950103 and 970018 (hint by Scott Brown)