0

Our company site is behind WAF based on NGINX ModSecurity. And permanently in WAF logs we see blocked requests from site forms. Example:

SQL Injection Attack Detected via libinjection - Matched Data: sos found within ARGS:BoxOrgName: %u041e%u041e%u041e "%u0422%u0440%u0438%u043e+"

Why it happens? This string:

%u041e%u041e%u041e "%u0422%u0440%u0438%u043e+"

is just Cyrillic company name:

ООО "Трио+"

How and what can we configure in mod_security to prevent such wrong request blocking?

Improve this question

1 Answer 1

Reset to default
0

This is a so-called "false positive" (FP).

First, you should set your Nginx error log with info severity, like this:

error_log /path/to/error.log info;

Then you can check this log for results - there you can see the triggered rule, its message and data, and some other useful information. Beside of these, there is the uri - with these information, you can create a so-called exclusion. An exclusion helps to trigger FP.

You can read about handling FP's here.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.