[UPDATE: There is a separate tutorial about the Handling of False Positives (This article here is mostly about statistical data of the CRS2 rule set. Meanwhile CRS3 has been released).]
ModSecurity – or any WAF for that matter – produces false positives. If it does not produce false positives, then it’s probably dead. A strict ruleset like the OWASP ModSecurity Core Rules 2.x brings a lot of false positives and it takes some tuning to get to a reasonable level of alerts. If you have tuned a few services, then some of the rules will become familiar to you. But which ones are these rules?
We are in the process of developing a paranoia mode for the OWASP ModSecurity Core Rules. The idea is to move certain rules into an optional section, which would only run when enabled. The idea is to reduce false positives this way for the default installation – but keep them available for the experienced administrator. In fact, the current development tree of the core rules comes without a lot of these overzealous rules. This post brings some data about the rules in the 2.2.X releases and how often me or my customers have encountered false positives.
If you like the ModSecurity and Core Rule Set content on netnea.com, then we suggest to subscribe to our newsletter. The focus is on content and information and we will keep the netnea marketing department in check.
The data is based on over 100 services of very heterogeneous character. There is a lot of b2b enterprise software, but also b2c sites, webmail sites, wikis, you name it. What I did was looking for tuning rules or ignore rules; that is rules that make false positives go away. I grepped over all the configs and summed up the results.
So this is no hard science: Many different sites generated a lot of false positives. A dozen of admins wrote tuning rules in a variety of styles. Some of the services were tightly covered, others only in a lose way. And then I summed it all up, putting small and big services together; nevermind the differences between them. So this has to be taken with a substantial grain of salt. I am sure one could come up with better data. But I have not seen any public coverage of the topic. So this is a start and I invite you to present your stats as well.
Here we go with my stats: I have covered the base rules of the OWASP ModSecurity Core Rules and assigned the rules into four distinct groups:
- none or hardly any false positives (184 rules)
- few false positives (40 rules)
- frequent false positives (18 rules)
- very frequent false positives (11 rules)
There is a fifth group with auxilary rules, which are not always logged and where the idea of false positives does not really make sense (31 rules).
Here are the individual rules and in which group they fall; all sorted by rule id:
| Rule ID | Description / Message | False Positives Frequency |
| 950001 | SQL Injection Attack | frequent false positives |
| 950002 | System Command Access | few false positives |
| 950005 | Remote File Access Attempt | few false positives |
| 950006 | System Command Injection | few false positives |
| 950007 | Blind SQL Injection Attack | few false positives |
| 950008 | Injection of Undocumented ColdFusion Tags | few false positives |
| 950009 | Session Fixation Attack | few false positives |
| 950010 | LDAP Injection Attack | few false positives |
| 950011 | SSI injection Attack | hardly any false positives |
| 950018 | Universal PDF XSS URL Detected. | hardly any false positives |
| 950019 | Email Injection Attack | hardly any false positives |
| 950103 | Path Traversal Attack | hardly any false positives |
| 950107 | URL Encoding Abuse Attack Attempt | hardly any false positives |
| 950109 | Multiple URL Encoding Detected | frequent false positives |
| 950110 | Backdoor access | hardly any false positives |
| 950116 | Unicode Full/Half Width Abuse Attack Attempt | hardly any false positives |
| 950117 | Remote File Inclusion Attack | hardly any false positives |
| 950118 | Remote File Inclusion Attack | hardly any false positives |
| 950119 | Remote File Inclusion Attack | hardly any false positives |
| 950120 | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link | hardly any false positives |
| 950801 | UTF8 Encoding Abuse Attack Attempt | hardly any false positives |
| 950901 | SQL Injection Attack: SQL Tautology Detected. | very frequent false positives |
| 950907 | System Command Injection | frequent false positives |
| 950908 | SQL Injection Attack. | hardly any false positives |
| 950910 | HTTP Response Splitting Attack | hardly any false positives |
| 950911 | HTTP Response Splitting Attack | few false positives |
| 950921 | Backdoor access | hardly any false positives |
| 950922 | Backdoor access | hardly any false positives |
| 958000 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958001 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958002 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958003 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958004 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958005 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958006 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958007 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958008 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958009 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958010 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958011 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958012 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958013 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958016 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958017 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958018 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958019 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958020 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958022 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958023 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958024 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958025 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958026 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958027 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958028 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958030 | Cross-site Scripting (XSS) Attack | few false positives |
| 958031 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958032 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958033 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958034 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958036 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958037 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958038 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958039 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958040 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958041 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958045 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958046 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958047 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958049 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958051 | Cross-site Scripting (XSS) Attack | few false positives |
| 958052 | Cross-site Scripting (XSS) Attack | few false positives |
| 958054 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958056 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958057 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958059 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958230 | Range: Invalid Last Byte Value. | hardly any false positives |
| 958231 | Range: Too many fields | hardly any false positives |
| 958291 | Range: field exists and begins with 0. | few false positives |
| 958295 | Multiple/Conflicting Connection Header Data Found. | hardly any false positives |
| 958404 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958405 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958406 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958407 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958408 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958409 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958410 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958411 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958412 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958413 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958414 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958415 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958416 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958417 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958418 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958419 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958420 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958421 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958422 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958423 | Cross-site Scripting (XSS) Attack | hardly any false positives |
| 958976 | PHP Injection Attack | hardly any false positives |
| 958977 | PHP Injection Attack | hardly any false positives |
| 959070 | SQL Injection Attack | frequent false positives |
| 959071 | SQL Injection Attack | frequent false positives |
| 959072 | SQL Injection Attack | frequent false positives |
| 959073 | SQL Injection Attack | very frequent false positives |
| 959151 | PHP Injection Attack | hardly any false positives |
| 960000 | Attempted multipart/form-data bypass | few false positives |
| 960006 | Empty User Agent Header | hardly any false positives |
| 960007 | Empty Host Header | hardly any false positives |
| 960008 | Request Missing a Host Header | hardly any false positives |
| 960009 | Request Missing a User Agent Header | few false positives |
| 960010 | Request content type is not allowed by policy | few false positives |
| 960011 | GET or HEAD Request with Body Content | hardly any false positives |
| 960012 | POST request missing Content-Length Header | hardly any false positives |
| 960014 | Proxy access attempt | hardly any false positives |
| 960015 | Request Missing an Accept Header | very frequent false positives |
| 960016 | Content-Length HTTP header is not numeric | hardly any false positives |
| 960017 | Host header is a numeric IP address | very frequent false positives |
| 960018 | Invalid character in request | hardly any false positives |
| 960020 | Pragma Header requires Cache-Control Header for HTTP/1.1 requests. | hardly any false positives |
| 960021 | Request Has an Empty Accept Header | hardly any false positives |
| 960022 | Expect Header Not Allowed for HTTP 1.0 | hardly any false positives |
| 960024 | Meta-Character Anomaly Detection Alert – Repetative Non-Word Characters | very frequent false positives |
| 960032 | Method is not allowed by policy | hardly any false positives |
| 960034 | HTTP protocol version is not allowed by policy | hardly any false positives |
| 960035 | URL file extension is restricted by policy | frequent false positives |
| 960038 | HTTP header is restricted by policy | hardly any false positives |
| 960208 | Argument value too long | hardly any false positives |
| 960209 | Argument name too long | hardly any false positives |
| 960335 | Too many arguments in request | hardly any false positives |
| 960341 | Total arguments size exceeded | hardly any false positives |
| 960342 | Uploaded file size too large | hardly any false positives |
| 960343 | Total uploaded files size too large | hardly any false positives |
| 960901 | Invalid character in request | hardly any false positives |
| 960902 | Invalid Use of Identity Encoding | hardly any false positives |
| 960904 | Request Containing Content, but Missing Content-Type header | hardly any false positives |
| 960911 | Invalid HTTP Request Line | hardly any false positives |
| 960912 | Failed to parse request body | hardly any false positives |
| 960913 | Invalid request | hardly any false positives |
| 960914 | Multipart request body failed strict validation | hardly any false positives |
| 960915 | Multipart parser detected a possible unmatched boundary | hardly any false positives |
| 970002 | Statistics Information Leakage | hardly any false positives |
| 970003 | SQL Information Leakage | hardly any false positives |
| 970004 | IIS Information Leakage | hardly any false positives |
| 970007 | Zope Information Leakage | hardly any false positives |
| 970008 | Cold Fusion Information Leakage | hardly any false positives |
| 970009 | PHP Information Leakage | hardly any false positives |
| 970010 | ISA server existence revealed | hardly any false positives |
| 970011 | File or Directory Names Leakage | hardly any false positives |
| 970012 | Microsoft Office document properties leakage | hardly any false positives |
| 970013 | Directory Listing | hardly any false positives |
| 970014 | ASP/JSP source code leakage | hardly any false positives |
| 970015 | PHP source code leakage | hardly any false positives |
| 970016 | Cold Fusion source code leakage | hardly any false positives |
| 970018 | IIS installed in default location | hardly any false positives |
| 970021 | WebLogic information disclosure | hardly any false positives |
| 970118 | The application is not available | hardly any false positives |
| 970901 | The application is not available | few false positives |
| 970902 | PHP source code leakage | hardly any false positives |
| 970903 | ASP/JSP source code leakage | few false positives |
| 970904 | IIS Information Leakage | hardly any false positives |
| 973300 | Possible XSS Attack Detected – HTML Tag Handler | frequent false positives |
| 973301 | XSS Attack Detected | hardly any false positives |
| 973302 | XSS Attack Detected | few false positives |
| 973303 | XSS Attack Detected | hardly any false positives |
| 973304 | XSS Attack Detected | few false positives |
| 973305 | XSS Attack Detected | few false positives |
| 973306 | XSS Attack Detected | few false positives |
| 973307 | XSS Attack Detected | few false positives |
| 973308 | XSS Attack Detected | few false positives |
| 973309 | XSS Attack Detected | hardly any false positives |
| 973310 | XSS Attack Detected | few false positives |
| 973311 | XSS Attack Detected | hardly any false positives |
| 973312 | XSS Attack Detected | hardly any false positives |
| 973313 | XSS Attack Detected | hardly any false positives |
| 973314 | XSS Attack Detected | hardly any false positives |
| 973315 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973316 | IE XSS Filters – Attack Detected. | few false positives |
| 973317 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973318 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973319 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973320 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973321 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973322 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973323 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973324 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973325 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973326 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973327 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973328 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973329 | IE XSS Filters – Attack Detected. | few false positives |
| 973330 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973331 | IE XSS Filters – Attack Detected. | few false positives |
| 973332 | IE XSS Filters – Attack Detected. | frequent false positives |
| 973333 | IE XSS Filters – Attack Detected. | frequent false positives |
| 973334 | IE XSS Filters – Attack Detected. | few false positives |
| 973335 | IE XSS Filters – Attack Detected. | few false positives |
| 973336 | XSS Filter – Category 1: Script Tag Vector | hardly any false positives |
| 973337 | XSS Filter – Category 2: Event Handler Vector | hardly any false positives |
| 973338 | XSS Filter – Category 3: Javascript URI Vector | few false positives |
| 973344 | IE XSS Filters – Attack Detected. | few false positives |
| 973345 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973346 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 973347 | IE XSS Filters – Attack Detected. | few false positives |
| 973348 | IE XSS Filters – Attack Detected. | hardly any false positives |
| 981000 | Possibly malicious iframe tag in output | hardly any false positives |
| 981001 | Possibly malicious iframe tag in output | hardly any false positives |
| 981003 | Malicious iframe+javascript tag in output | hardly any false positives |
| 981004 | Potential Obfuscated Javascript in Output – Excessive fromCharCode | hardly any false positives |
| 981005 | Potential Obfuscated Javascript in Output – Eval+Unescape | hardly any false positives |
| 981006 | Potential Obfuscated Javascript in Output – Unescape | hardly any false positives |
| 981007 | Potential Obfuscated Javascript in Output – Heap Spray | hardly any false positives |
| 981018 | Auxilary Rule | does not apply |
| 981020 | Auxilary Rule | does not apply |
| 981021 | Auxilary Rule | does not apply |
| 981022 | Auxilary Rule | does not apply |
| 981133 | Auxilary Rule | does not apply |
| 981134 | Auxilary Rule | does not apply |
| 981136 | Unnamed XSS Rule | hardly any false positives |
| 981172 | Restricted SQL Character Anomaly Detection Alert – Total # of special characters exceeded | very frequent false positives |
| 981173 | Restricted SQL Character Anomaly Detection Alert – Total # of special characters exceeded | very frequent false positives |
| 981175 | Inbound Attack Targeting OSVDB Flagged Resource. | hardly any false positives |
| 981176 | Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg} | hardly any false positives |
| 981177 | Auxilary Rule | does not apply |
| 981178 | Auxilary Rule | does not apply |
| 981200 | Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): Last Matched Message: %{tx.msg} | does not apply |
| 981201 | Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} – Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} – Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE}) | does not apply |
| 981202 | Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} – Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE}) | does not apply |
| 981203 | Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg} | does not apply |
| 981204 | Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg} | does not apply |
| 981205 | Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg} | does not apply |
| 981227 | Apache Error: Invalid URI in Request | hardly any false positives |
| 981231 | SQL Comment Sequence Detected. | very frequent false positives |
| 981240 | Detects MySQL comments, conditions and ch(a)r injections | frequent false positives |
| 981241 | Detects conditional SQL injection attempts | few false positives |
| 981242 | Detects classic SQL injection probings 1/2 | frequent false positives |
| 981243 | Detects classic SQL injection probings 2/2 | very frequent false positives |
| 981244 | Detects basic SQL authentication bypass attempts 1/3 | frequent false positives |
| 981245 | Detects basic SQL authentication bypass attempts 2/3 | frequent false positives |
| 981246 | Detects basic SQL authentication bypass attempts 3/3 | frequent false positives |
| 981247 | Detects concatenated basic SQL injection and SQLLFI attempts | few false positives |
| 981248 | Detects chained SQL injection attempts 1/2 | very frequent false positives |
| 981249 | Detects chained SQL injection attempts 2/2 | frequent false positives |
| 981250 | Detects SQL benchmark and sleep injection attempts including conditional queries | hardly any false positives |
| 981251 | Detects MySQL UDF injection and other data/structure manipulation attempts | hardly any false positives |
| 981252 | Detects MySQL charset switch and MSSQL DoS attempts | hardly any false positives |
| 981253 | Detects MySQL and PostgreSQL stored procedure/function injections | hardly any false positives |
| 981254 | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts | hardly any false positives |
| 981255 | Detects MSSQL code execution and information gathering attempts | few false positives |
| 981256 | Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections | few false positives |
| 981257 | Detects MySQL comment-/space-obfuscated injections and backtick termination | frequent false positives |
| 981260 | SQL Hex Encoding Identified | very frequent false positives |
| 981270 | Finds basic MongoDB SQL injection attempts | hardly any false positives |
| 981272 | Detects blind sqli tests using sleep() or benchmark(). | hardly any false positives |
| 981276 | Looking for basic sql injection. Common attack string for mysql, oracle and others. | hardly any false positives |
| 981277 | Looking for integer overflow attacks, these are taken from skipfish, except 2.2.90738585072007e-308 is the \”magic number\” crash | hardly any false positives |
| 981300 | Auxilary Rule | does not apply |
| 981301 | Auxilary Rule | does not apply |
| 981302 | Auxilary Rule | does not apply |
| 981303 | Auxilary Rule | does not apply |
| 981304 | Auxilary Rule | does not apply |
| 981305 | Auxilary Rule | does not apply |
| 981306 | Auxilary Rule | does not apply |
| 981307 | Auxilary Rule | does not apply |
| 981308 | Auxilary Rule | does not apply |
| 981309 | Auxilary Rule | does not apply |
| 981310 | Auxilary Rule | does not apply |
| 981311 | Auxilary Rule | does not apply |
| 981312 | Auxilary Rule | does not apply |
| 981313 | Auxilary Rule | does not apply |
| 981314 | Auxilary Rule | does not apply |
| 981315 | Auxilary Rule | does not apply |
| 981316 | Auxilary Rule | does not apply |
| 981317 | SQL SELECT Statement Anomaly Detection Alert | few false positives |
| 981318 | SQL Injection Attack: Common Injection Testing Detected | few false positives |
| 981319 | SQL Injection Attack: SQL Operator Detected | frequent false positives |
| 981320 | SQL Injection Attack: Common DB Names Detected | few false positives |
| 990002 | Request Indicates a Security Scanner Scanned the Site | hardly any false positives |
| 990012 | Rogue web site crawler | hardly any false positives |
| 990901 | Request Indicates a Security Scanner Scanned the Site | hardly any false positives |
| 990902 | Request Indicates a Security Scanner Scanned the Site | hardly any false positives |
I think it is interesting to see, that most false positives are concentrated on a few dozens of rules. To ease things for the reader, here are the rules which frequently brought false positives:
| Rule ID | Description / Message | False Positives Frequency |
| 950001 | SQL Injection Attack | frequent false positives |
| 950109 | Multiple URL Encoding Detected | frequent false positives |
| 950907 | System Command Injection | frequent false positives |
| 959070 | SQL Injection Attack | frequent false positives |
| 959071 | SQL Injection Attack | frequent false positives |
| 959072 | SQL Injection Attack | frequent false positives |
| 960035 | URL file extension is restricted by policy | frequent false positives |
| 973300 | Possible XSS Attack Detected – HTML Tag Handler | frequent false positives |
| 973332 | IE XSS Filters – Attack Detected. | frequent false positives |
| 973333 | IE XSS Filters – Attack Detected. | frequent false positives |
| 981240 | Detects MySQL comments, conditions and ch(a)r injections | frequent false positives |
| 981242 | Detects classic SQL injection probings 1/2 | frequent false positives |
| 981244 | Detects basic SQL authentication bypass attempts 1/3 | frequent false positives |
| 981245 | Detects basic SQL authentication bypass attempts 2/3 | frequent false positives |
| 981246 | Detects basic SQL authentication bypass attempts 3/3 | frequent false positives |
| 981249 | Detects chained SQL injection attempts 2/2 | frequent false positives |
| 981257 | Detects MySQL comment-/space-obfuscated injections and backtick termination | frequent false positives |
| 981319 | SQL Injection Attack: SQL Operator Detected | frequent false positives |
And here are the rules which have even more false positives. The rules in this group had tuning rules in half if not more of the services I examined:
| Rule ID | Description / Message | False Positives Frequency |
| 950901 | SQL Injection Attack: SQL Tautology Detected. | very frequent false positives |
| 959073 | SQL Injection Attack | very frequent false positives |
| 960015 | Request Missing an Accept Header | very frequent false positives |
| 960017 | Host header is a numeric IP address | very frequent false positives |
| 960024 | Meta-Character Anomaly Detection Alert – Repetative Non-Word Characters | very frequent false positives |
| 981172 | Restricted SQL Character Anomaly Detection Alert – Total # of special characters exceeded | very frequent false positives |
| 981173 | Restricted SQL Character Anomaly Detection Alert – Total # of special characters exceeded | very frequent false positives |
| 981231 | SQL Comment Sequence Detected. | very frequent false positives |
| 981243 | Detects classic SQL injection probings 2/2 | very frequent false positives |
| 981248 | Detects chained SQL injection attempts 1/2 | very frequent false positives |
| 981260 | SQL Hex Encoding Identified | very frequent false positives |
Not surprisingly, dear friends like 960024, 981172, 981173 and 981260 ended up here. The plan is to help them make their way into the 3.0.0 core rules release with the help of the paranoia mode, as they are all gone as of this writing. The following rules from the list above are gone from the development release: 959070,959071,959072,959073,960024,973300,973332,973333,981172,981173,981231 and 981260.
The discussion about these rules and their proper place is being carried out on the core rules mailinglist. If you have any comments, then please get back to me or join the discussion there.
Did you like this blog post? Let me invite you to subscribe to our ModSecurity / CRS newsletter.
Christian Folini Follow @ChrFolini 
[EDIT] @tunetheweb sent in word about his summary of rule tunings at stackoverflow.
Removed duplicate rule ids 950103 and 970018 (hint by Scott Brown)