OWASP 3.3.2 and "ping" with rules 932150 and 1234123447

[webmastergreg]

Hello
FYI I was confronted with the blocking of an interface following modsecurity blocking by rule N°1234123447

Precisely the request: "?_wblapi=/forsef/v1/ping"
Triggers rule N°1234123447 because of the term "ping"
In bold just below.


ModSecurity: Access denied with code 501, [Rule: 'ARGS' '(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?: map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\ .exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(? :\b\W*?[\\\/]|\W*?\.\.)|hmod.{0.40}?\+.{0.3}x))|[\;\|\ `]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|[B]p[/B](?:asswd|ython|erl|[B]ing[/B]|s) |n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname| echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|[B]p[/B](? :asswd|ython|erl|[B]ing[/B]|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+| cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$)) '] [id "1234123447"] [msg "System Command Injection"] [logdata "/ping"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [uri "/?_wblapi=/forsef/v1/ping"]


There's a debate for this on the github coreruleset project, "ping" (and "time") is plan to be removed from the regex of rule 932150, but only for the next v3.4 dev that is not yet in stable state.
The PR is here for rule 932150: 6638828
Trigger is different in my case, but I suppose will lead to the same PR for the rule 1234123447
Core Rule Set Project

Regards

 

[cPRex]

Hey there! Thanks for posting this - if they plan to remove that rule, I'd say it's safe for you to whitelist it on your machine if you haven't done so already.

 

[webmastergreg]

Yes, already done
thx