How to fix a false positive

On Sophos UTM, mod_security can detect a far greater number of attacks, but also experiences a larger number of false positives. If your website is experiencing a lot of false positives, the best way to resolve them is to disable the specific rule IDs that are being detected.

To determine the rule IDs that are being matched, you’ll need to check the Web Application Firewall log while browsing to your website and recreating the false positive. To open the WAF live log, navigate to Webserver Protection > Web Application Firewall > Virtual Webservers, and click on Open live log.

After experiencing the false positive, you should see something similar to the below in the WAF live log. The rule ID your looking for appears under the ‘id‘ field, in the format [id “<rule number>”]:

2014:09:23-10:44:05 UTM reverseproxy: [Tue Sep 23 10:44:05.218166 2014] [security2:error] [pid 2106:tid 1532648304] [client 1.2.3.4] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:hidden_color. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: : found within ARGS:hidden_color: #FF003F::color::click::captchaColor"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.domain.com"] [uri "index.php"] [unique_id "VCGHNdHIHfoAAAg61L4AAAIo"]

To disable rules, you can browse to Webserver Protection > Web Application Firewall > Firewall Profiles, click Edit on the appropriate Firewall Profile, and then add the rule ID number into the Skip Filter rules box. The result will look similar to the following:

Infrastructure rules

There are certain rules we call infrastructure rules; they are core to the operation of the WAF ModSecurity. You should not disable these rules without possibly affecting other rules that are built upon these rules. If an infrastructure rule is added to the Skip Filter Rules list, then you make yourself vulnerable to other possible attacks.

• 981020
• 981021
• 981022
• 981175
• 981176
• 981200
• 981201
• 981202
• 981203
• 981204
• 981205

To block a false positive search the reverseproxy.log for non-infrastructure rules that were triggered before the infrastructure rule and add those to the Skip Filter Rules list instead. Keep in mind that the infrastructure rules are always the last rules to be triggered by an HTTP request.

Source:

https://community.sophos.com/kb/en-us/121446#Infrastructure rules