I am using mod_security 2.9.3, together with the Core Rule Set version 3.2.3, both as packaged for Debian 10 ('buster' – yes, I know this is reaching the end of support), and I'm getting occasional false positives from rule 942100 (one of the libinjection rules). This rule is also proving one of the most useful for filtering genuine attempts at SQL injections attacks, so I'm keen not to disable it entirely. (I know how to do that and I have verified that it does solve the problem.) Ideally I'd like to fine-tune it instead to tweak the test that is yielding the false positive. I'm looking for help with that.
A typical log entry looks something like this:
Message: Warning. detected SQLi using libinjection with fingerprint '1kn&n' [fil e "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1kn&n found within ARGS:details: XXXXXXXXXXXXX"]
(I'm afraid I've had to redact the details argument as it invariably contains personal data, though I know that will not help people answer my question. The argument is typically a single short sentence containing a few numbers, personal names and short words, here 'and' and 'each', and little to no punctuation.)
I've looked at the recipe in /usr/share/modsecurity-crs/rules/ and I was expecting to find a regular expression or something similar, but there isn't one. The only comment is a reference to https://libinjection.client9.com/ which does not resolve. Does the fingerprint '1kn&n' somehow reference the particular pattern that's triggering? Is there a way of looking that up somewhere? And if so, is it possible to use this to selectively whitelist parts of the rule?
You can whitelist such requests using exclusion rule like this, just set the correct domain name in the first line (put it inside file
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf):This specific exclusion rule is disabling rule
942100for POST/GET argumentdetailson URLexample.com/submit.php.