rule 920300 title / details mismatch
owingruters opened this issue · comments
I have a lot of positives for rule 920300 'Request Missing an Accept Header'.
The details are : 'Warning. Match of \'pm AppleWebKit Android\' against \'REQUEST_HEADERS:User-Agent\' required. '
The title of the rule and the details do not match. The first is about Accept-header, the latter about the User-agent header. 2 completely different things.
Also the user-agent 'pm AppleWebKit Android' is one that is not known in the market. Still, the number of records tells me that is is not an anomaly, but coming from opening a marketing email we send.
I use this rule in Azure Application Gateway and they do not allow me to specifically add an exclusion on this value of the User-Agent, only on the entire header.
Thank yor for reporting @owingruters. This rule is a troubling one, but you are facing a mis-understanding.
pm AppleWebKit Android
is a parallel match of the two keywords AppleWebKit and/or Android.
The full rule syntax is: Trigger an alert if no Accept Header unless it's an OPTIONS request coming from AppleWebKit or Android.
Now the trouble: ModSecurity only reports the last rule match. This complex rule has 3 rules chained, so you only get the match against the UAs.
I have now added more comments to this rule explaining the situation so the next user does not come to the same conclusion as you: #1753
However, you state you get a lot of false positives here. Would you mind sending us the audit-log of one of these requests, maybe the UA-List in the rule ought to be expanded. Feel free to attach here or open a separate issue. I will close this bug report in the meantime.