I have introduced modsecurity to protect a wordpress site, but I have no clue on the modsecurity rule language. Setup so far has gone fairly OK, the problem I am facing is that multiple rules are firing when a form is submitted (trying PL 3). Having a chat with GPT it offers a solution that looks fine in theory but won’t work.
System is on latest nginx, modsecurity and OWASP is also up to date.
The analysis is as following:
Analysis of Rule Matches
Rule ID 920230 – Multiple URL Encoding Detected
Matched Data: Parameters in ARGS:data appear URL-encoded multiple times.
Reason for Block: The rule detects anomalies in parameter encoding, often used in attacks like double-encoding to bypass input validation.
Tag: paranoia-level/2
Rule ID 920272 – Invalid Character in Request
Matched Data: Characters outside the printable ASCII range.
Reason for Block: The request body contains encoded or unexpected characters.
Tag: paranoia-level/3
Rule ID 942430 and 942431 – SQL Injection-Like Patterns
Matched Data: The form data contains more than the allowed number of special characters, such as &, =, or %.
Reason for Block: The rule flags requests with excessive special characters as potential SQL injection attempts.
Tag: paranoia-level/2 and paranoia-level/3
Rule ID 949110 – Inbound Anomaly Score Exceeded
Reason for Block: The cumulative anomaly score for the request exceeded the blocking threshold (default: 5). This is triggered due to multiple rules being violated.
I tried to avoid bypassing all the rules and rather reduce the total anomaly score for the combination, so the form won’t get blocked, but GPT’s suggestions are not working, the latest attempt being:
# Adjusting anomaly scores for specific rules and paths
# Rule adjustments for /wp-admin/admin-ajax.php
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php"
"id:900500,
phase:1,
pass,
t:none,
setvar:'tx.notice_anomaly_score=1',
setvar:'tx.warning_anomaly_score=2',
setvar:'tx.error_anomaly_score=3',
setvar:'tx.critical_anomaly_score=4'"
# Specific rule: 920230 (Multiple URL Encoding Detected)
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php"
"id:900501,
phase:2,
pass,
t:none,
ctl:ruleModifyById=920230;"
# Adjust anomaly score for rule 920230
SecAction
"id:900502,
phase:2,
pass,
t:none,
setvar:'tx.anomaly_score=-1',
chain"
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php" "t:none"
# Specific rule: 920272 (Invalid character in request body)
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php"
"id:900503,
phase:2,
pass,
t:none,
ctl:ruleModifyById=920272;"
# Adjust anomaly score for rule 920272
SecAction
"id:900504,
phase:2,
pass,
t:none,
setvar:'tx.anomaly_score=-1',
chain"
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php" "t:none"
# Specific rule: 942430 (SQL Character Anomaly Detection, 12 characters)
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php"
"id:900505,
phase:2,
pass,
t:none,
ctl:ruleModifyById=942430;"
# Adjust anomaly score for rule 942430
SecAction
"id:900506,
phase:2,
pass,
t:none,
setvar:'tx.anomaly_score=-1',
chain"
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php" "t:none"
# Specific rule: 942431 (SQL Character Anomaly Detection, 6 characters)
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php"
"id:900507,
phase:2,
pass,
t:none,
ctl:ruleModifyById=942431;"
# Adjust anomaly score for rule 942431
SecAction
"id:900508,
phase:2,
pass,
t:none,
setvar:'tx.anomaly_score=-1',
chain"
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php" "t:none"
# Evaluate and block based on reduced anomaly score
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge 5"
"id:900509,
phase:2,
deny,
log,
t:none,
msg:'Inbound Anomaly Score Exceeded (Adjusted Score)',
tag:'OWASP_CRS',
tag:'anomaly-evaluation',
setvar:'tx.blocking_inbound_anomaly_score=+5'"
Any feedback on how to tackle this would be appreciated.