Hi,
I hope I am in the right place to ask this question,
we have a new Sophos SG and we put our web servers behind this ytm, now when try to open some of our websites we get the access denied I did look in the WAF logs and can see that when open the website the utm see it is SQL injection so this is false positive should we add the ID to the Modified rules of IPS?
[HTML]/var/log/reverseproxy/2015/08/reverseproxy-2015-08-29.log.gz:2015:08:29-11:50:29 securitysrv1-1 reverseproxy: [Sat Aug 29 11:50:29.121631 2015] [security2:error] [pid 17925:tid 3850255216] [client 132.XX.XX.5] ModSecurity: Warning. Pattern match "(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" at ARGS[:D]. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "49"] [id "981231"] [rev "2"] [msg "SQL Comment Sequence Detected."] [data "Matched Data: --OrBzLzFK8vxQu3- found within ARGS[:D]: 0o3eV0RWOK5Zb2PMS4JXHvsQDag_PrZsc8rB7s8dIVGFcEtQSDXip9Ii5Skao5qgOS1-JChhY--OrBzLzFK8vxQu3-szHugWj-HQr9alNSo1"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "edeo.go2mydomain.nl"] [uri "/WebResource.axd"] [unique_id "VeGAZT7dx7gAAEYFu@wAAABR"]
/var/log/reverseproxy/2015/08/reverseproxy-2015-08-29.log.gz:2015:08:29-11:50:29 securitysrv1-1 reverseproxy: [Sat Aug 29 11:50:29.122468 2015] [security2:error] [pid 17925:tid 3850255216] [client 132.XX.XX.5] ModSecurity: Warning. Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\].*?){4,}" at ARGS[:D]. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS[:D]: 0o3eV0RWOK5Zb2PMS4JXHvsQDag_PrZsc8rB7s8dIVGFcEtQSDXip9Ii5Skao5qgOS1-JChhY--OrBzLzFK8vxQu3-szHugWj-HQr9alNSo1"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "edeo.go2mydomain.nl"] [uri "/WebResource.axd"] [unique_id "VeGAZT7dx7gAAEYFu@wAAABR"]
/var/log/reverseproxy/2015/08/reverseproxy-2015-08-29.log.gz:2015:08:29-11:50:29 securitysrv1-1 reverseproxy: [Sat Aug 29 11:50:29.123375 2015] [security2:error] [pid 17925:tid 3850255216] [client 132.XX.XX.5] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960035-OWASP_CRS/POLICY/EXT_RESTRICTED-TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 11, SQLi=2, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Last Matched Data: .axd/"] [hostname "edeo.go2mydomain.nl"] [uri "/WebResource.axd"] [unique_id "VeGAZT7dx7gAAEYFu@wAAABR"]
/var/log/reverseproxy/2015/08/reverseproxy-2015-08-29.log.gz:2015:08:29-11:50:29 securitysrv1-1 reverseproxy: [Sat Aug 29 11:50:29.123462 2015] [security2:error] [pid 17925:tid 3850255216] [client 132.XX.XX.5] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 11, SQLi=2, XSS=): Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [hostname "edeo.go2mydomain.nl"] [uri "/WebResource.axd"] [unique_id "VeGAZT7dx7gAAEYFu@wAAABR"]
/var/log/reverseproxy/2015/08/reverseproxy-2015-08-29.log.gz:2015:08:29-11:50:29 securitysrv1-1 reverseproxy: id="0299" srcip="132.XX.XX.5" localip="62.221.199.184" size="224" user="-" host="132.XX.XX.5" method="GET" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 11, SQLi=2, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded" exceptions="-" time="3330" url="/WebResource.axd" server="edeo.go2mydomain.nl" referer="edeo.go2mydomain.nl/" cookie="ASP.NET_SessionId=cuulemiixtouewp0kc0xzhhw; HASH_ASP.NET_SessionId=0E3C024E05FD173CA4EB3FBFAD085BA895E6AE01" set-cookie="-"
/var/log/reverseproxy/2015/08/reverseproxy-2015-08-29.log.gz:2015:08:29-11:50:29 securitysrv1-1 reverseproxy: [Sat Aug 29 11:50:29.128224 2015] [security2:error] [pid 17925:tid 3850255216] [client 132.XX.XX.5] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".axd"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "edeo.go2mydomain.nl"] [uri "/ScriptResource.axd"] [unique_id "VeGAZT7dx7gAAEYFu@0AAABR"] [/HTML]
This thread was automatically locked due to age.
