Forum-Navigation
Bitte Anmelden, um Beiträge und Themen zu erstellen.
modsecurity ID in WAF log (reverseproxy.log) finden
#1 · 22. Januar 2024, 13:03
tail -n 5000 -f /log/reverseproxy.log | grep security2:error
https://web.archive.org/web/20230901104426/https://www.netnea.com/cms/core-rule-set-inventory/
https://www.netnea.com/cms/2016/01/17/most-frequent-false-positives-triggered-by-owasp-modsecurity-core-rules-2-2-x/
This is a list of rules from the OWASP ModSecurity Core Rule Set.
- Handling of false positives / false alarms / blocking of legitimate traffic is explained in this tutorial.
- This page here covers the 3.x release(s). The rule IDs from the 2.x.x release(s) are not listed / covered. Look here for some infos.
- Helper rules are omitted.
- Click on link to be taken to github and land on the definition of the rule.
- The link to github points to the 3.0 dev tree.
- The description / message is the msg action from the rule definition mostly.
- Individual rules in this page can be reached via a shortcut. E.g., https://netnea.com/crs/942100.
- If you are lazy, then create a dynamic bookmark and call it with the rule ID as parameter in the address line of the browser: e.g., crs 942100.
- You like what you see? Why don’t you follow me on twitter @ChrFolini to learn about new ModSecurity stuff I publish.
| Rule ID | Paranoia Level |
Severity | Description (msg) |
|---|---|---|---|
| 901001 | PL1 | none | Check if crs-set.conf was loaded |
| 901450 | PL1 | none | Sampling: Disable the rule engine based on sampling_percentage |
| 905100 | PL1 | none | Common Exeptions example rule |
| 905110 | PL1 | none | Common Exeptions example rule |
| 910000 | PL1 | critical | Request from Known Malicious Client (Based on previous traffic violations). |
| 910100 | PL1 | critical | Client IP is from a HIGH Risk Country Location. |
| 910150 | PL1 | critical | HTTP Blacklist match for search engine IP, |
| 910160 | PL1 | critical | HTTP Blacklist match for spammer IP |
| 910170 | PL1 | critical | HTTP Blacklist match for suspicious IP |
| 910180 | PL1 | critical | HTTP Blacklist match for harvester IP |
| 911100 | PL1 | critical | Method is not allowed by policy |
| 912120 | PL1 | none | Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)" |
| 912170 | PL1 | none | Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter} |
| 912171 | PL2 | none | Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter} |
| 913100 | PL1 | critical | Found User-Agent associated with security scanner |
| 913101 | PL2 | critical | Found User-Agent associated with scripting/generic HTTP client |
| 913102 | PL2 | critical | Found User-Agent associated with web crawler/bot |
| 913110 | PL1 | critical | Found request header associated with security scanner |
| 913120 | PL1 | critical | Found request filename/argument associated with security scanner |
| 920100 | PL1 | notice | Invalid HTTP Request Line |
| 920120 | PL1 | critical | Attempted multipart/form-data bypass |
| 920130 | PL1 | critical | Failed to parse request body. |
| 920140 | PL1 | critical | Multipart request body failed strict validation: |
| 920160 | PL1 | critical | Content-Length HTTP header is not numeric. |
| 920170 | PL1 | critical | GET or HEAD Request with Body Content. |
| 920180 | PL1 | notice | POST request missing Content-Length Header. |
| 920190 | PL1 | warning | Range: Invalid Last Byte Value. |
| 920200 | PL2 | warning | Range: Too many fields (6 or more) |
| 920201 | PL2 | warning | Range: Too many fields for pdf request (35 or more) |
| 920202 | PL4 | warning | Range: Too many fields for pdf request (6 or more) |
| 920210 | PL1 | warning | Multiple/Conflicting Connection Header Data Found. |
| 920220 | PL1 | warning | URL Encoding Abuse Attack Attempt |
| 920230 | PL2 | warning | Multiple URL Encoding Detected |
| 920240 | PL1 | warning | URL Encoding Abuse Attack Attempt |
| 920250 | PL1 | warning | UTF8 Encoding Abuse Attack Attempt |
| 920260 | PL1 | warning | Unicode Full/Half Width Abuse Attack Attempt |
| 920270 | PL1 | error | Invalid character in request (null character) |
| 920271 | PL2 | critical | Invalid character in request (non printable characters) |
| 920272 | PL3 | critical | Invalid character in request (outside of printable chars below ascii 127) |
| 920273 | PL4 | critical | Invalid character in request (outside of very strict set) |
| 920274 | PL4 | critical | Invalid character in request headers (outside of very strict set) |
| 920280 | PL1 | warning | Request Missing a Host Header |
| 920290 | PL1 | warning | Empty Host Header |
| 920300 | PL2 | notice | Request Missing an Accept Header |
| 920310 | PL1 | notice | Request Has an Empty Accept Header |
| 920311 | PL1 | notice | Request Has an Empty Accept Header |
| 920320 | PL2 | notice | Missing User Agent Header |
| 920330 | PL1 | notice | Empty User Agent Header |
| 920340 | PL1 | notice | Request Containing Content, but Missing Content-Type header |
| 920350 | PL1 | warning | Host header is a numeric IP address |
| 920360 | PL1 | critical | Argument name too long |
| 920370 | PL1 | critical | Argument value too long |
| 920380 | PL1 | critical | Too many arguments in request |
| 920390 | PL1 | critical | Total arguments size exceeded |
| 920400 | PL1 | critical | Uploaded file size too large |
| 920410 | PL1 | critical | Total uploaded files size too large |
| 920420 | PL1 | critical | Request content type is not allowed by policy |
| 920430 | PL1 | critical | HTTP protocol version is not allowed by policy |
| 920440 | PL1 | critical | URL file extension is restricted by policy |
| 920450 | PL1 | critical | HTTP header is restricted by policy (%{MATCHED_VAR}) |
| 920460 | PL4 | critical | Abnormal character escape detected |
| 921100 | PL1 | critical | HTTP Request Smuggling Attack. |
| 921110 | PL1 | critical | HTTP Request Smuggling Attack |
| 921120 | PL1 | critical | HTTP Response Splitting Attack |
| 921130 | PL1 | critical | HTTP Response Splitting Attack |
| 921140 | PL1 | critical | HTTP Header Injection Attack via headers |
| 921150 | PL1 | critical | HTTP Header Injection Attack via payload (CR/LF detected) |
| 921151 | PL2 | critical | HTTP Header Injection Attack via payload (CR/LF detected) |
| 921160 | PL1 | critical | HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
| 921180 | PL3 | critical | HTTP Parameter Pollution (%{TX.1}) |
| 930100 | PL1 | critical | Path Traversal Attack (/../) |
| 930110 | PL1 | critical | Path Traversal Attack (/../) |
| 930120 | PL1 | critical | OS File Access Attempt |
| 930130 | PL1 | critical | Restricted File Access Attempt |
| 931100 | PL1 | critical | Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address |
| 931110 | PL1 | critical | Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload |
| 931120 | PL1 | critical | Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) |
| 931130 | PL2 | critical | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link |
| 932100 | PL1 | critical | Remote Command Execution: Unix Command Injection |
| 932105 | PL1 | critical | Remote Command Execution: Unix Command Injection |
| 932110 | PL1 | critical | Remote Command Execution: Windows Command Injection |
| 932115 | PL1 | critical | Remote Command Execution: Windows Command Injection |
| 932120 | PL1 | critical | Remote Command Execution: Windows PowerShell Command Found |
| 932130 | PL1 | critical | Remote Command Execution: Unix Shell Expression Found |
| 932140 | PL1 | critical | Remote Command Execution: Windows FOR/IF Command Found |
| 932150 | PL1 | critical | Remote Command Execution: Direct Unix Command Execution |
| 932160 | PL1 | critical | Remote Command Execution: Unix Shell Code Found |
| 932170 | PL1 | critical | Remote Command Execution: Shellshock (CVE-2014-6271) |
| 932171 | PL1 | critical | Remote Command Execution: Shellshock (CVE-2014-6271) |
| 933100 | PL1 | critical | PHP Injection Attack: Opening/Closing Tag Found |
| 933110 | PL1 | critical | PHP Injection Attack: PHP Script File Upload Found |
| 933111 | PL3 | critical | PHP Injection Attack: PHP Script File Upload Found |
| 933120 | PL1 | critical | PHP Injection Attack: Configuration Directive Found |
| 933130 | PL1 | critical | PHP Injection Attack: Variables Found |
| 933131 | PL3 | critical | PHP Injection Attack: Variables Found |
| 933140 | PL1 | critical | PHP Injection Attack: I/O Stream Found |
| 933150 | PL1 | critical | PHP Injection Attack: High-Risk PHP Function Name Found |
| 933151 | PL2 | critical | PHP Injection Attack: Medium-Risk PHP Function Name Found |
| 933160 | PL1 | critical | PHP Injection Attack: High-Risk PHP Function Call Found |
| 933161 | PL3 | critical | PHP Injection Attack: Low-Value PHP Function Call Found |
| 933170 | PL1 | critical | PHP Injection Attack: Serialized Object Injection |
| 933180 | PL1 | critical | PHP Injection Attack: Variable Function Call Found |
| 941100 | PL1 | critical | XSS Attack Detected via libinjection |
| 941110 | PL1 | critical | XSS Filter - Category 1: Script Tag Vector |
| 941120 | PL1 | critical | XSS Filter - Category 2: Event Handler Vector |
| 941130 | PL1 | critical | XSS Filter - Category 3: Attribute Vector |
| 941140 | PL1 | critical | XSS Filter - Category 4: Javascript URI Vector |
| 941150 | PL1 | critical | XSS Filter - Category 5: Disallowed HTML Attributes |
| 941160 | PL1 | critical | NoScript XSS InjectionChecker: HTML Injection |
| 941170 | PL1 | critical | NoScript XSS InjectionChecker: Attribute Injection |
| 941180 | PL1 | critical | Node-Validator Blacklist Keywords |
| 941190 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941200 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941210 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941220 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941230 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941240 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941250 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941260 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941270 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941280 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941290 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941300 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941310 | PL1 | critical | US-ASCII Malformed Encoding XSS Filter - Attack Detected. |
| 941320 | PL2 | critical | Possible XSS Attack Detected - HTML Tag Handler |
| 941330 | PL2 | critical | IE XSS Filters - Attack Detected. |
| 941340 | PL2 | critical | IE XSS Filters - Attack Detected. |
| 941350 | PL1 | critical | UTF-7 Encoding IE XSS - Attack Detected. |
| 942100 | PL1 | critical | SQL Injection Attack Detected via libinjection |
| 942110 | PL2 | warning | SQL Injection Attack: Common Injection Testing Detected |
| 942120 | PL2 | critical | SQL Injection Attack: SQL Operator Detected |
| 942130 | PL2 | critical | SQL Injection Attack: SQL Tautology Detected. |
| 942140 | PL1 | critical | SQL Injection Attack: Common DB Names Detected |
| 942150 | PL2 | critical | SQL Injection Attack |
| 942160 | PL1 | critical | Detects blind sqli tests using sleep() or benchmark(). |
| 942170 | PL1 | critical | Detects SQL benchmark and sleep injection attempts including conditional queries |
| 942180 | PL2 | critical | Detects basic SQL authentication bypass attempts 1/3 |
| 942190 | PL1 | critical | Detects MSSQL code execution and information gathering attempts |
| 942200 | PL2 | critical | Detects MySQL comment-/space-obfuscated injections and backtick termination |
| 942210 | PL2 | critical | Detects chained SQL injection attempts 1/2 |
| 942220 | PL1 | critical | Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash |
| 942230 | PL1 | critical | Detects conditional SQL injection attempts |
| 942240 | PL1 | critical | Detects MySQL charset switch and MSSQL DoS attempts |
| 942250 | PL1 | critical | Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections |
| 942251 | PL3 | critical | Detects HAVING injections |
| 942260 | PL2 | critical | Detects basic SQL authentication bypass attempts 2/3 |
| 942270 | PL1 | critical | Looking for basic sql injection. Common attack string for mysql, oracle and others. |
| 942280 | PL1 | critical | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts |
| 942290 | PL1 | critical | Finds basic MongoDB SQL injection attempts |
| 942300 | PL2 | critical | Detects MySQL comments, conditions and ch(a)r injections |
| 942310 | PL2 | critical | Detects chained SQL injection attempts 2/2 |
| 942320 | PL1 | critical | Detects MySQL and PostgreSQL stored procedure/function injections |
| 942330 | PL2 | critical | Detects classic SQL injection probings 1/2 |
| 942340 | PL2 | critical | Detects basic SQL authentication bypass attempts 3/3 |
| 942350 | PL1 | critical | Detects MySQL UDF injection and other data/structure manipulation attempts |
| 942360 | PL1 | critical | Detects concatenated basic SQL injection and SQLLFI attempts |
| 942370 | PL2 | critical | Detects classic SQL injection probings 2/2 |
| 942380 | PL2 | critical | SQL Injection Attack |
| 942390 | PL2 | critical | SQL Injection Attack |
| 942400 | PL2 | critical | SQL Injection Attack |
| 942410 | PL2 | critical | SQL Injection Attack |
| 942420 | PL3 | warning | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8) |
| 942421 | PL4 | warning | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3) |
| 942430 | PL2 | warning | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) |
| 942431 | PL3 | warning | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6) |
| 942432 | PL4 | warning | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2) |
| 942440 | PL2 | critical | SQL Comment Sequence Detected. |
| 942450 | PL2 | critical | SQL Hex Encoding Identified |
| 942460 | PL3 | warning | Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters |
| 943100 | PL1 | critical | Possible Session Fixation Attack: Setting Cookie Values in HTML |
| 943110 | PL1 | critical | Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer |
| 943120 | PL1 | critical | Possible Session Fixation Attack: SessionID Parameter Name with No Referer |
| 949100 | PL1 | none | Request Denied by IP Reputation Enforcement. |
| 949110 | PL1 | none | Check of inbound anomaly score |
| 950100 | PL2 | error | The Application Returned a 500-Level Status Code |
| 950130 | PL1 | error | Directory Listing |
| 951110 | PL1 | critical | Microsoft Access SQL Information Leakage |
| 951120 | PL1 | critical | Oracle SQL Information Leakage |
| 951130 | PL1 | critical | DB2 SQL Information Leakage |
| 951140 | PL1 | critical | EMC SQL Information Leakage |
| 951150 | PL1 | critical | firebird SQL Information Leakage |
| 951160 | PL1 | critical | Frontbase SQL Information Leakage |
| 951170 | PL1 | critical | hsqldb SQL Information Leakage |
| 951180 | PL1 | critical | informix SQL Information Leakage |
| 951190 | PL1 | critical | ingres SQL Information Leakage |
| 951200 | PL1 | critical | interbase SQL Information Leakage |
| 951210 | PL1 | critical | maxDB SQL Information Leakage |
| 951220 | PL1 | critical | mssql SQL Information Leakage |
| 951230 | PL1 | critical | mysql SQL Information Leakage |
| 951240 | PL1 | critical | postgres SQL Information Leakage |
| 951250 | PL1 | critical | sqlite SQL Information Leakage |
| 951260 | PL1 | critical | Sybase SQL Information Leakage |
| 952100 | PL1 | error | Java Source Code Leakage |
| 952110 | PL1 | error | Java Errors |
| 953100 | PL1 | error | PHP Information Leakage |
| 953110 | PL1 | error | PHP source code leakage |
| 953120 | PL1 | error | PHP source code leakage |
| 954100 | PL1 | error | Disclosure of IIS install location |
| 954110 | PL1 | error | Application Availability Error |
| 954120 | PL1 | error | IIS Information Leakage |
| 954130 | PL1 | error | IIS Information Leakage |
| 959100 | PL1 | none | Check of outbound anomaly score |
| 980100 | PL1 | none | Anomaly score correlation rule |
| 980110 | PL1 | none | Anomaly score correlation rule |
| 980120 | PL1 | none | Anomaly score correlation rule |
| 980130 | PL1 | none | Anomaly score correlation rule |
| 980140 | PL1 | none | Anomaly score correlation rule |
| 9001000 | PL1 | none | Drupal rule exception |
| 9001110 | PL1 | none | Drupal rule exception |
| 9001112 | PL1 | none | Drupal rule exception |
| 9001114 | PL1 | none | Drupal rule exception |
| 9001116 | PL1 | none | Drupal rule exception |
| 9001120 | PL1 | none | Drupal rule exception |
| 9001122 | PL1 | none | Drupal rule exception |
| 9001124 | PL1 | none | Drupal rule exception |
| 9001126 | PL1 | none | Drupal rule exception |
| 9001128 | PL1 | none | Drupal rule exception |
| 9001140 | PL1 | none | Drupal rule exception |
| 9001150 | PL1 | none | Drupal rule exception |
| 9001170 | PL1 | none | Drupal rule exception |
| 9001180 | PL1 | none | Drupal rule exception |
| 9001182 | PL1 | none | Drupal rule exception |
| 9001184 | PL1 | none | Drupal rule exception |
| 9001200 | PL1 | none | Drupal rule exception |
| 9001202 | PL1 | none | Drupal rule exception |
| 9001204 | PL1 | none | Drupal rule exception |
| 9001206 | PL1 | none | Drupal rule exception |
| 9001208 | PL1 | none | Drupal rule exception |
| 9001210 | PL1 | none | Drupal rule exception |
| 9001212 | PL1 | none | Drupal rule exception |
| 9001214 | PL1 | none | Drupal rule exception |
| 9001216 | PL1 | none | Drupal rule exception |
| 9002000 | PL1 | none | WordPress rule exception |
| 9002001 | PL1 | none | WordPress rule exception |
| 9002100 | PL1 | none | WordPress rule exception |
| 9002120 | PL1 | none | WordPress rule exception |
| 9002130 | PL1 | none | WordPress rule exception |
| 9002150 | PL1 | none | WordPress rule exception |
| 9002160 | PL1 | none | WordPress rule exception |
| 9002200 | PL1 | none | WordPress rule exception |
| 9002400 | PL1 | none | WordPress rule exception |
| 9002401 | PL1 | none | WordPress rule exception |
| 9002410 | PL1 | none | WordPress rule exception |
| 9002420 | PL1 | none | WordPress rule exception |
| 9002520 | PL1 | none | WordPress rule exception |
| 9002530 | PL1 | none | WordPress rule exception |
| 9002540 | PL1 | none | WordPress rule exception |
| 9002700 | PL1 | none | WordPress rule exception |
| 9002710 | PL1 | none | WordPress rule exception |
| 9002720 | PL1 | none | WordPress rule exception |
| 9002730 | PL1 | none | WordPress rule exception |
| 9002740 | PL1 | none | WordPress rule exception |
| 9002750 | PL1 | none | WordPress rule exception |
| 9002800 | PL1 | none | WordPress rule exception |
| 9002810 | PL1 | none | WordPress rule exception |
| 9002820 | PL1 | none | WordPress rule exception |
| 9002900 | PL1 | none | WordPress rule exception |
The data is based on over 100 services of very heterogeneous character. There is a lot of b2b enterprise software, but also b2c sites, webmail sites, wikis, you name it. What I did was looking for tuning rules or ignore rules; that is rules that make false positives go away. I grepped over all the configs and summed up the results.
So this is no hard science: Many different sites generated a lot of false positives. A dozen of admins wrote tuning rules in a variety of styles. Some of the services were tightly covered, others only in a lose way. And then I summed it all up, putting small and big services together; nevermind the differences between them. So this has to be taken with a substantial grain of salt. I am sure one could come up with better data. But I have not seen any public coverage of the topic. So this is a start and I invite you to present your stats as well.
Here we go with my stats: I have covered the base rules of the OWASP ModSecurity Core Rules and assigned the rules into four distinct groups:
- none or hardly any false positives (184 rules)
- few false positives (40 rules)
- frequent false positives (18 rules)
- very frequent false positives (11 rules)
There is a fifth group with auxilary rules, which are not always logged and where the idea of false positives does not really make sense (31 rules).
Here are the individual rules and in which group they fall; all sorted by rule id:
| Rule ID | Description / Message | False Positives Frequency |
| 950001 | SQL Injection Attack | frequent false positives |
| 950002 | System Command Access | few false positives |
| 950005 | Remote File Access Attempt | few false positives |
| 950006 | System Command Injection | few false positives |
| 950007 | Blind SQL Injection Attack | few false positives |
| 950008 | Injection of Undocumented ColdFusion Tags | few false positives |
| 950009 | Session Fixation Attack | few false positives |
| 950010 | LDAP Injection Attack | few false positives |
| 950011 | SSI injection Attack | hardly any false positives |
| 950018 | Universal PDF XSS URL Detected. | hardly any false positives |
| 950019 | Email Injection Attack | hardly any false positives |
| 950103 | Path Traversal Attack | hardly any false positives |
| 950107 | URL Encoding Abuse Attack Attempt | hardly any false positives |
| 950109 | Multiple URL Encoding Detected | frequent false positives |
| 950110 | Backdoor access | hardly any false positives |
| 950116 | Unicode Full/Half Width Abuse Attack Attempt | hardly any false positives |
| 950117 | Remote File Inclusion Attack | hardly any false positives |
| 950118 | Remote File Inclusion Attack | hardly any false positives |
| 950119 | Remote File Inclusion Attack | hardly any false positives |
| 950120 | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link | hardly any false positives |
| 950801 | UTF8 Encoding Abuse Attack Attempt | hardly any false positives |
| 950901 | SQL Injection Attack: SQL Tautology Detected. | very frequent false positives |
| 950907 | System Command Injection | frequent false positives |
| 950908 | SQL Injection Attack. | hardly any false positives |
| 950910 | HTTP Response Splitting Attack | hardly any false positives |
| 950911 | HTTP Response Splitting Attack | few false positives |
| 950921 | Backdoor access | hardly any false positives |
| 950922 | Backdoor access | hardly any false positives |
| 958000 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958001 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958002 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958003 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958004 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958005 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958006 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958007 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958008 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958009 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958010 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958011 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958012 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958013 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958016 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958017 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958018 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958019 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958020 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958022 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958023 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958024 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958025 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958026 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958027 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958028 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958030 | Cross-site Scripting (XSS) Attack | few false positives |
| 958031 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958032 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958033 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958034 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958036 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958037 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958038 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958039 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958040 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958041 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958045 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958046 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958047 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958049 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958051 | Cross-site Scripting (XSS) Attack | few false positives |
| 958052 | Cross-site Scripting (XSS) Attack | few false positives |
| 958054 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958056 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958057 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958059 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958230 | Range: Invalid Last Byte Value. | hardly any false positives |
| 958231 | Range: Too many fields | hardly any false positives |
| 958291 | Range: field exists and begins with 0. | few false positives |
| 958295 | Multiple/Conflicting Connection Header Data Found. | hardly any false positives |
| 958404 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958405 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958406 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958407 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958408 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958409 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958410 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958411 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958412 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958413 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958414 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958415 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958416 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958417 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958418 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958419 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958420 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958421 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958422 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958423 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958976 | PHP Injection Attack | hardly any false positives |
| 958977 | PHP Injection Attack | hardly any false positives |
| 959070 | SQL Injection Attack | frequent false positives |
| 959071 | SQL Injection Attack | frequent false positives |
| 959072 | SQL Injection Attack | frequent false positives |
| 959073 | SQL Injection Attack | very frequent false positives |
| 959151 | PHP Injection Attack | hardly any false positives |
| 960000 | Attempted multipart/form-data bypass | few false positives |
| 960006 | Empty User Agent Header | hardly any false positives |
| 960007 | Empty Host Header | hardly any false positives |
| 960008 | Request Missing a Host Header | hardly any false positives |
| 960009 | Request Missing a User Agent Header | few false positives |
| 960010 | Request content type is not allowed by policy | few false positives |
| 960011 | GET or HEAD Request with Body Content | hardly any false positives |
| 960012 | POST request missing Content-Length Header | hardly any false positives |
| 960014 | Proxy access attempt | hardly any false positives |
| 960015 | Request Missing an Accept Header | very frequent false positives |
| 960016 | Content-Length HTTP header is not numeric | hardly any false positives |
| 960017 | Host header is a numeric IP address | very frequent false positives |
| 960018 | Invalid character in request | hardly any false positives |
| 960020 | Pragma Header requires Cache-Control Header for HTTP/1.1 requests. | hardly any false positives |
| 960021 | Request Has an Empty Accept Header | hardly any false positives |
| 960022 | Expect Header Not Allowed for HTTP 1.0 | hardly any false positives |
| 960024 | Meta-Character Anomaly Detection Alert – Repetative Non-Word Characters | very frequent false positives |
| 960032 | Method is not allowed by policy | hardly any false positives |
| 960034 | HTTP protocol version is not allowed by policy | hardly any false positives |
| 960035 | URL file extension is restricted by policy | frequent false positives |
| 960038 | HTTP header is restricted by policy | hardly any false positives |
| 960208 | Argument value too long | hardly any false positives |
| 960209 | Argument name too long | hardly any false positives |
| 960335 | Too many arguments in request | hardly any false positives |
| 960341 | Total arguments size exceeded | hardly any false positives |
| 960342 | Uploaded file size too large | hardly any false positives |
| 960343 | Total uploaded files size too large | hardly any false positives |
| 960901 | Invalid character in request | hardly any false positives |
| 960902 | Invalid Use of Identity Encoding | hardly any false positives |
| 960904 | Request Containing Content, but Missing Content-Type header | hardly any false positives |
| 960911 | Invalid HTTP Request Line | hardly any false positives |
| 960912 | Failed to parse request body | hardly any false positives |
| 960913 | Invalid request | hardly any false positives |
| 960914 | Multipart request body failed strict validation | hardly any false positives |
| 960915 | Multipart parser detected a possible unmatched boundary | hardly any false positives |
| 970002 | Statistics Information Leakage | hardly any false positives |
| 970003 | SQL Information Leakage | hardly any false positives |
| 970004 | IIS Information Leakage | hardly any false positives |
| 970007 | Zope Information Leakage | hardly any false positives |
| 970008 | Cold Fusion Information Leakage | hardly any false positives |
| 970009 | PHP Information Leakage | hardly any false positives |
| 970010 | ISA server existence revealed | hardly any false positives |
| 970011 | File or Directory Names Leakage | hardly any false positives |
| 970012 | Microsoft Office document properties leakage | hardly any false positives |
| 970013 | Directory Listing | hardly any false positives |
| 970014 | ASP/JSP source code leakage | hardly any false positives |
| 970015 | PHP source code leakage | hardly any false positives |
| 970016 | Cold Fusion source code leakage | hardly any false positives |
| 970018 | IIS installed in default location | hardly any false positives |
| 970021 | WebLogic information disclosure | hardly any false positives |
| 970118 | The application is not available | hardly any false positives |
| 970901 | The application is not available | few false positives |
| 970902 | PHP source code leakage | hardly any false positives |
| 970903 | ASP/JSP source code leakage | few false positives |
| 970904 | IIS Information Leakage | hardly any false positives |
| 973300 | Possible XSS Attack Detected – HTML Tag Handler | frequent false positives |
| 973301 | XSS Attack Detected | hardly any false positives |
| 973302 | XSS Attack Detected | few false positives |
| 973303 | XSS Attack Detected | hardly any false positives |
| 973304 | XSS Attack Detected | few false positives |
| 973305 | XSS Attack Detected | few false positives |
| 973306 | XSS Attack Detected | few false positives |
| 973307 | XSS Attack Detected | few false positives |
| 973308 | XSS Attack Detected | few false positives |
| 973309 | XSS Attack Detected | hardly any false positives |
| 973310 | XSS Attack Detected | few false positives |
| 973311 | XSS Attack Detected | hardly any false positives |
| 973312 | XSS Attack Detected | hardly any false positives |
| 973313 | XSS Attack Detected | hardly any false positives |
| 973314 | XSS Attack Detected | hardly any false positives |
| 973315 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973316 | IE XSS Filters – Attack Detected. | few false positives |
| 973317 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973318 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973319 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973320 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973321 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973322 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973323 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973324 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973325 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973326 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973327 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973328 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973329 | IE XSS Filters – Attack Detected. | few false positives |
| 973330 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973331 | IE XSS Filters – Attack Detected. | few false positives |
| 973332 | IE XSS Filters – Attack Detected. | frequent false positives |
| 973333 | IE XSS Filters – Attack Detected. | frequent false positives |
| 973334 | IE XSS Filters – Attack Detected. | few false positives |
| 973335 | IE XSS Filters – Attack Detected. | few false positives |
| 973336 | XSS Filter – Category 1: Script Tag Vector | hardly any false positives |
| 973337 | XSS Filter – Category 2: Event Handler Vector | hardly any false positives |
| 973338 | XSS Filter – Category 3: Javascript URI Vector | few false positives |
| 973344 | IE XSS Filters – Attack Detected. | few false positives |
| 973345 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973346 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973347 | IE XSS Filters – Attack Detected. | few false positives |
| 973348 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 981000 | Possibly malicious iframe tag in output | hardly any false positives |
| 981001 | Possibly malicious iframe tag in output | hardly any false positives |
| 981003 | Malicious iframe+javascript tag in output | hardly any false positives |
| 981004 | Potential Obfuscated Javascript in Output – Excessive fromCharCode | hardly any false positives |
| 981005 | Potential Obfuscated Javascript in Output – Eval+Unescape | hardly any false positives |
| 981006 | Potential Obfuscated Javascript in Output – Unescape | hardly any false positives |
| 981007 | Potential Obfuscated Javascript in Output – Heap Spray | hardly any false positives |
| 981018 | Auxilary Rule | does not apply |
| 981020 | Auxilary Rule | does not apply |
| 981021 | Auxilary Rule | does not apply |
| 981022 | Auxilary Rule | does not apply |
| 981133 | Auxilary Rule | does not apply |
| 981134 | Auxilary Rule | does not apply |
| 981136 | Unnamed XSS Rule | hardly any false positives |
| 981172 | Restricted SQL Character Anomaly Detection Alert – Total # of special characters exceeded | very frequent false positives |
| 981173 | Restricted SQL Character Anomaly Detection Alert – Total # of special characters exceeded | very frequent false positives |
| 981175 | Inbound Attack Targeting OSVDB Flagged Resource. | hardly any false positives |
| 981176 | Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg} | hardly any false positives |
| 981177 | Auxilary Rule | does not apply |
| 981178 | Auxilary Rule | does not apply |
| 981200 | Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): Last Matched Message: %{tx.msg} | does not apply |
| 981201 | Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} – Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} – Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE}) | does not apply |
| 981202 | Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} – Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE}) | does not apply |
| 981203 | Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg} | does not apply |
| 981204 | Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg} | does not apply |
| 981205 | Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg} | does not apply |
| 981227 | Apache Error: Invalid URI in Request | hardly any false positives |
| 981231 | SQL Comment Sequence Detected. | very frequent false positives |
| 981240 | Detects MySQL comments, conditions and ch(a)r injections | frequent false positives |
| 981241 | Detects conditional SQL injection attempts | few false positives |
| 981242 | Detects classic SQL injection probings 1/2 | frequent false positives |
| 981243 | Detects classic SQL injection probings 2/2 | very frequent false positives |
| 981244 | Detects basic SQL authentication bypass attempts 1/3 | frequent false positives |
| 981245 | Detects basic SQL authentication bypass attempts 2/3 | frequent false positives |
| 981246 | Detects basic SQL authentication bypass attempts 3/3 | frequent false positives |
| 981247 | Detects concatenated basic SQL injection and SQLLFI attempts | few false positives |
| 981248 | Detects chained SQL injection attempts 1/2 | very frequent false positives |
| 981249 | Detects chained SQL injection attempts 2/2 | frequent false positives |
| 981250 | Detects SQL benchmark and sleep injection attempts including conditional queries | hardly any false positives |
| 981251 | Detects MySQL UDF injection and other data/structure manipulation attempts | hardly any false positives |
| 981252 | Detects MySQL charset switch and MSSQL DoS attempts | hardly any false positives |
| 981253 | Detects MySQL and PostgreSQL stored procedure/function injections | hardly any false positives |
| 981254 | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts | hardly any false positives |
| 981255 | Detects MSSQL code execution and information gathering attempts | few false positives |
| 981256 | Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections | few false positives |
| 981257 | Detects MySQL comment-/space-obfuscated injections and backtick termination | frequent false positives |
| 981260 | SQL Hex Encoding Identified | very frequent false positives |
| 981270 | Finds basic MongoDB SQL injection attempts | hardly any false positives |
| 981272 | Detects blind sqli tests using sleep() or benchmark(). | hardly any false positives |
| 981276 | Looking for basic sql injection. Common attack string for mysql, oracle and others. | hardly any false positives |
| 981277 | Looking for integer overflow attacks, these are taken from skipfish, except 2.2.90738585072007e-308 is the \”magic number\” crash | hardly any false positives |
| 981300 | Auxilary Rule | does not apply |
| 981301 | Auxilary Rule | does not apply |
| 981302 | Auxilary Rule | does not apply |
| 981303 | Auxilary Rule | does not apply |
| 981304 | Auxilary Rule | does not apply |
| 981305 | Auxilary Rule | does not apply |
| 981306 | Auxilary Rule | does not apply |
| 981307 | Auxilary Rule | does not apply |
| 981308 | Auxilary Rule | does not apply |
| 981309 | Auxilary Rule | does not apply |
| 981310 | Auxilary Rule | does not apply |
| 981311 | Auxilary Rule | does not apply |
| 981312 | Auxilary Rule | does not apply |
| 981313 | Auxilary Rule | does not apply |
| 981314 | Auxilary Rule | does not apply |
| 981315 | Auxilary Rule | does not apply |
| 981316 | Auxilary Rule | does not apply |
| 981317 | SQL SELECT Statement Anomaly Detection Alert | few false positives |
| 981318 | SQL Injection Attack: Common Injection Testing Detected | few false positives |
| 981319 | SQL Injection Attack: SQL Operator Detected | frequent false positives |
| 981320 | SQL Injection Attack: Common DB Names Detected | few false positives |
| 990002 | Request Indicates a Security Scanner Scanned the Site | hardly any false positives |
| 990012 | Rogue web site crawler | hardly any false positives |
| 990901 | Request Indicates a Security Scanner Scanned the Site | hardly any false positives |
| 990902 | Request Indicates a Security Scanner Scanned the Site | hardly any false positives |
I think it is interesting to see, that most false positives are concentrated on a few dozens of rules. To ease things for the reader, here are the rules which frequently brought false positives:
| Rule ID | Description / Message | False Positives Frequency |
| 950001 | SQL Injection Attack | frequent false positives |
| 950109 | Multiple URL Encoding Detected | frequent false positives |
| 950907 | System Command Injection | frequent false positives |
| 959070 | SQL Injection Attack | frequent false positives |
| 959071 | SQL Injection Attack | frequent false positives |
| 959072 | SQL Injection Attack | frequent false positives |
| 960035 | URL file extension is restricted by policy | frequent false positives |
| 973300 | Possible XSS Attack Detected – HTML Tag Handler | frequent false positives |
| 973332 | IE XSS Filters – Attack Detected. | frequent false positives |
| 973333 | IE XSS Filters – Attack Detected. | frequent false positives |
| 981240 | Detects MySQL comments, conditions and ch(a)r injections | frequent false positives |
| 981242 | Detects classic SQL injection probings 1/2 | frequent false positives |
| 981244 | Detects basic SQL authentication bypass attempts 1/3 | frequent false positives |
| 981245 | Detects basic SQL authentication bypass attempts 2/3 | frequent false positives |
| 981246 | Detects basic SQL authentication bypass attempts 3/3 | frequent false positives |
| 981249 | Detects chained SQL injection attempts 2/2 | frequent false positives |
| 981257 | Detects MySQL comment-/space-obfuscated injections and backtick termination | frequent false positives |
| 981319 | SQL Injection Attack: SQL Operator Detected | frequent false positives |
And here are the rules which have even more false positives. The rules in this group had tuning rules in half if not more of the services I examined:
| Rule ID | Description / Message | False Positives Frequency |
| 950901 | SQL Injection Attack: SQL Tautology Detected. | very frequent false positives |
| 959073 | SQL Injection Attack | very frequent false positives |
| 960015 | Request Missing an Accept Header | very frequent false positives |
| 960017 | Host header is a numeric IP address | very frequent false positives |
| 960024 | Meta-Character Anomaly Detection Alert – Repetative Non-Word Characters | very frequent false positives |
| 981172 | Restricted SQL Character Anomaly Detection Alert – Total # of special characters exceeded | very frequent false positives |
| 981173 | Restricted SQL Character Anomaly Detection Alert – Total # of special characters exceeded | very frequent false positives |
| 981231 | SQL Comment Sequence Detected. | very frequent false positives |
| 981243 | Detects classic SQL injection probings 2/2 | very frequent false positives |
| 981248 | Detects chained SQL injection attempts 1/2 | very frequent false positives |
| 981260 | SQL Hex Encoding Identified | very frequent false positives |