Description
Rule 932340 seems overly aggressive. Things like df and su were triggering alerts on an input for a person's initials. I added an exclusion in my application, but I also found that w alone triggers the rule. I know it's a UNIX command, but it doesn't seem like ModSecurity should block on a single character.
How to reproduce the misbehavior (-> curl call)
Add ?test=w to a URL. E.g. http://nginx.docker.localhost:8888/?test=w
Logs
---6hnaYeXJ---A--
[10/Feb/2026:14:51:35 -0500] 177075309536.739988 192.168.65.1 64789 172.17.0.2 80
---6hnaYeXJ---D--
---6hnaYeXJ---F--
HTTP/1.1 403
Server: nginx
Date: Tue, 10 Feb 2026 19:51:35 GMT
Content-Length: 548
Content-Type: text/html
Connection: keep-alive
---6hnaYeXJ---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)? (2946 characters omitted)' against variable `ARGS:test' (Value: `w' ) [file "/etc/nginx/modsec/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "646"] [id "932340"] [rev ""] [msg "Remote Command Execution: Direct Unix Command Execution (No Arguments)"] [data "Matched Data: w found within ARGS:test: w"] [severity "2"] [ver "OWASP_CRS/4.23.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ATTACK-RCE"] [tag "capec/1000/152/248/88"] [hostname "172.17.0.2"] [uri "/"] [unique_id "177075309536.739988"] [ref "o0,1v11,1"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.23.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "172.17.0.2"] [uri "/"] [unique_id "177075309536.739988"] [ref ""]
---6hnaYeXJ---I--
---6hnaYeXJ---J--
---6hnaYeXJ---Z--
Your Environment
- CRS version (e.g., v3.3.4): 4.23.0
- Paranoia level setting (e.g. PL1) : PL1
- Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): Nginx
- Operating System and version: Amazon Linux 2
Confirmation
[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
Description
Rule 932340 seems overly aggressive. Things like
dfandsuwere triggering alerts on an input for a person's initials. I added an exclusion in my application, but I also found thatwalone triggers the rule. I know it's a UNIX command, but it doesn't seem like ModSecurity should block on a single character.How to reproduce the misbehavior (-> curl call)
Add
?test=wto a URL. E.g. http://nginx.docker.localhost:8888/?test=wLogs
Your Environment
Confirmation
[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.