I have successfully implemented Modsecurity Firewall.
But My Team facing one issue related to Firewall rule for Sql Injection & Xss.
Issue is. Whenever user add normal information with special character then rules can execute and display page with error 403 forbidden. And in Apache error log got various line number which is rules line. I was comment it each rule like rule no (309,508) in modsecurity_crs_41_xss_attack.conf & (223,233,243,237,211,239,49,136) in modsecurity_crs_41_sql_injeciton.conf.
which is give me false positive result.
Testing scenario is
input Text
Only 8 Seats left! REGISTER NOW!
Course Fees include Course material, Hands on training, working Lunch, Breakfast, evening tea.
** Free accommodation will be provided on prior request
For accommodation, please contact us on: +91 12345 67890 ================================================== Errorlog in apache
Sahil: [Wed Mar 16 10:29:57.316380 2016] [:error] [pid 25001]ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:[\"\\'][ ](([^a-z0-9~_:\\' ])|(in)).+?\\(.?\\))" at ARGS_NAMES:redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#res.setCharacterEncoding("UTF-8"),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().getServletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().close()}. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "506"] [id "973335"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: '),#res.setCharacterEncoding(\x22UTF-8\x22) found within ARGS_NAMES:redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#res.setCharacterEncoding(\x22UTF-8\x22),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#res.getWriter().print(\x22dir:\x22),#res.getWriter().println(#req.getSession(). [hostname "54.169.124.26"] [uri "/"] [unique_id "Vuk1pawfC1wAAGGpqA8AAAAS"]
So will you please give guidance for this issue...
