OWASP - User contributions [en]

User:Zino

2017-04-26T08:45:45Z

Zino: Blanked the page

OWASP ModSec CRS Paranoia Mode Sibling 981172

2016-03-15T06:45:19Z

Zino: /* 981172 : SQL Injection Character Anomaly Usage */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 981172 : SQL Injection Character Anomaly Usage ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 981172
| 942420
| 942421-942424
| Regex counter decreased from 8 to 2. Anomaly scoring increased to critical.
| None
|}

#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.9 Rule 981172.
# The regex limit is set to '2' and the anomaly scoring is increased to 'critical'.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES "([\~\!\@\#\$\%\^\&\*\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){2,}"
"capture,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level Z',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1,\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"

[[Category:OWASP ModSecurity Core Rule Set Project]]

OWASP ModSec CRS Paranoia Mode Sibling 981173

2016-03-15T06:44:34Z

Zino: /* 981173 : SQL Injection Character Anomaly Usage */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 981173 : SQL Injection Character Anomaly Usage ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 981173
| 942430
| 942431-942434
| Regex counter decreased from 4 to 1. Anomaly scoring increased to critical.
| Regex for UUIDs in chained Rule
|}

#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.x Rule 981173.
# The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
# For dealing with false positives, UUID format is whitelisted with a chained rule.
# For 3.0.0-rc1 rule, see FIXME.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level Z',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"

[[Category:OWASP ModSecurity Core Rule Set Project]]

OWASP ModSec CRS Paranoia Mode

2016-03-15T05:11:42Z

Zino: Task list and Project info

==Abstract==

This is a page about the development of a paranoia mode aka bringing back the rules that used to yield a high number of false positives. This little project is aimed at inclusion into the 3.0.0 release of the OWASP ModSecurity Core Rules, where some rules have been removed in order to reduce the number of false positives with vanilla installations.

FIXME: Detailed description

''Back to the [https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project OWASP ModSecurity Core Rules Set].''

==Sub-Project Infos==

* '''Status''': active (January 2016)
* '''Schedule''': Pull request in <strike>January</strike><strike>February</strike>March 2016 (Almost there!)
* '''Who''': Christian Folini (dune73), Noël Zindel (zino), Franziska Bühler (franziskabuehler), Manuel Leos (Spartan), Walter Hop (lifeforms)
* '''Documentation''': Here on the [https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode OWASP Wiki] / [https://www.netnea.com/cms/2016/02/04/owasp-modsecurity-core-rules-paranoia-mode-mechanics-proposal/ Mechanics Proposal]
* '''Discussion / Archive''': <tt>owasp-modsecurity-core-rule-set@lists.owasp.org</tt> / archive: http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/
* '''Github Link v3.0.0-rc1 (our base)''': https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc1
* '''Github Link paranoia-mode''': https://github.com/dune73/owasp-modsecurity-crs/tree/paranoia-mode
* '''Final Pull Request #1: Add paranoia mode mechanics''': https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/292 MERGED
* '''Final Pull Request #2: Move first rules to paranoia mode''': https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/300 MERGED
* '''Final Pull Request #3: Add 2.2.X rules to paranoia mode''': https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/308 MERGED
* '''Final Pull Request #4: Add stricter siblings''': FIXME

==Tasks==

===Open Tasks===

Please define state as follows: ''new'', ''assigned'', ''waiting'', ''closed''. When a task is closed, it is moved to the seperate closed tasks table below.

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Write pull request
| n.n.
| new
|-
| Submit pull request
| n.n.
| new
|-
| Draw flowchart
| n.n.
| new
|-
| Write documentation
| n.n.
| new
|}

===Closed Tasks===

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Assemble list of rules, which triggered false positives in 2.2.X frequently
| Christian
| closed
|-
| Assemble list of 2.2.x rules, which have disappeared from 3.0.0-rc1
| Spartan
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be accompanied with stricter siblings in paranoia mode (same idea of the rule, but harder limit etc.)
| Christian
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be moved to the paranoia mode
| Franziska
| closed
|-
| Assemble list of disappeared / missing 2.2.X base_rules, which should be brought back
| group
| closed
|-
| Assemble list of 2.2.X optional and experimental rules, which should be brought back
| group
| closed (could be repeated more throughly)
|-
| Nail down final list of rules which should be moved / recreated into the paranoia mode
| group
| closed
|-
| Sort out mechanics of the paranoia mode
| Christian
| closed
|-
| Write new stricter siblings for existing rules
| Noël
| closed
|-
| Define ID-space for strict siblings
| Fraziska, group
| closed
|-
| Define exact syntax of paranoia mode setup
| Christian, group
| closed
|-
| Sort out name: Is "Paranoia Mode" really the right term?
| Christian, group
| closed
|}

==Rules==

===Paranoia Mode Candidates===

The 3.0.0-rc1 has all rules renumbered. Existing numbering was fairly crazy and the new numbering follows the numbering scheme of the rules files (-> 9<2-digit-rulefile><3-digit-id>)
A mapping table exists [[https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/id_renumbering/IdNumbering.csv IdNumbering.csv]]
We need to make sure, we do not mess things up, so let's add both IDs to the table, the old one and the new one.

Please set status as follows : ''confirmed'',''candidate'', ''cloning-confirmed'',''cloning-candidate'', ''unsure'', ''dropped''.
* 'cloning-confirmed', 'cloning-candidates' are rules, that could be cloned into an even stricter variant with a stricter limit in a higher paranoia setting.
* If dropped, please provide reasoning in the remarks.

{|- class="wikitable"
|'''RuleID 2.2.x'''
|'''RuleID 3.0.0-rc1'''
|         '''msg'''       
|    '''Status'''   
|    '''Remarks'''   
|-
| 950001
| 942150
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: @pmf file with very short function names, could match frequently.
|-
| 950109
| 920230
| Multiple URL Encoding Detected
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 950120
| 931130
| Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
| confirmed
| Walter's 2.2.X candidate: many FP; Chrstian: hardly any FPs; discussion concluded, that rule should end up in paranoia mode, possibly with additional conditions to reduce FPs (scope outside of this paranoia mode project) [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001885.html Link to discussion]
|-
| 960335
| 920380
| Too many arguments in request
| confirmed
| Walter's 2.2.X candidate: some FP (phpMyAdmin, large forms), alternatively would recommend raising <code>tx.max_num_args</code> to 1000
|-
| 950901
| 942130
| SQL Injection Attack: SQL Tautology Detected.
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: legitimate sentences could match. Walter's 2.2.x experience: many FP in natural text however the rule seems to have merit
|-
| 950916
| 921170
| HTTP Header Injection Attack via payload (CR/LF detected)
| confirmed
| Franziska's candidate: change action from pass to block and move to paranoia mode.
|-
| 959070
| gone -> 942380
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 959071
| gone -> 942390
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 959072
| gone -> 942400
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 959073
| gone -> 942410
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: very frequently false positives
|-
| 960015
| 920300
| Request Missing an Accept Header
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: many FP (PHP SoapClient) Discussion concluded it's moved to paranoia mode. [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001888.html Link to discussion] Spartan: Many mobile devices do not send this header, very high FP.
|-
| 960024
| gone -> 942460
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| confirmed
| Christian's 2.2.X experience: very frequently false positives
|-
| 960035
| 920440
| URL file extension is restricted by policy
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 970901
| 950100
| The Application Returned a 500-Level Status Code
| confirmed
| Franziska's candidate: too strict, too generic, no data leakage happened so far. Walter: it's useful however to prevent attacker from distinguishing between a failed SQLi attempt (403 blocked by ModSec) or a query error due to vulnerable app (500 from application); Discussion resolved with move to paranoia mode. 403 will cloak a backend error, which is hard for an inexperienced admin and thus complicates things in standard installations [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001889.html Link to discussion]
|-
| 973300
| gone -> 941320
| Possible XSS Attack Detected - HTML Tag Handler
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973332
| gone -> 941330
| IE XSS Filters - Attack Detected.
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973333
| gone -> 941340
| IE XSS Filters - Attack Detected.
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981172
| gone -> 942420
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981173
| gone -> 942430
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981231
| gone -> 942440
| SQL Comment Sequence Detected.
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP but rule seems useful
|-
| 981240
| 942300
| Detects MySQL comments, conditions and ch(a)r injections
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981242
| 942330
| Detects classic SQL injection probings 1/2
| confirmed
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: one quote character already matches?? Walter: low FP, but seen in cookies injected by some US ISPs;
|-
| 981243
| 942370
| Detects classic SQL injection probings 2/2
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: medium FP
|-
| 981244
| 942180
| Detects basic SQL authentication bypass attempts 1/3
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP; discussion did not bring up additional arguments. Moving to paranoia mode [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001890.html Link to discussion]
|-
| 981245
| 942260
| Detects basic SQL authentication bypass attempts 2/3
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981246
| 942340
| Detects basic SQL authentication bypass attempts 3/3
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981248
| 942210
| Detects chained SQL injection attempts 1/2
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: low FP, discussion did not bring up any additional arguments. Moving to paranoia mode [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001890.html Link to discussion]
|-
| 981249
| 942310
| Detects chained SQL injection attempts 2/2
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP but seen in very specific situations
|-
| 981257
| 942200
| Detects MySQL comment-/space-obfuscated injections and backtick termination
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981260
| gone -> 942450
| SQL Hex Encoding Identified
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP in long random strings
|-
| 981318
| 942110
| SQL Injection Attack: Common Injection Testing Detected
| confirmed
| Franziska's candidate: one quote character at the beginning/end really not legitimate? Walter 2.2.X candidate: frequent FP
|-
| 981319
| 942120
| SQL Injection Attack: SQL Operator Detected
| confirmed
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: very short operators or strings already match. Walter: some FP (WooCommerce)
|-
| 981049
| 912100
| Potential Denial of Service (DoS) Attack from ... - # of Request Bursts: ...
| cloning-confirmed
| limit currently at 2; could be set to 1; now, the attacker has to exceed dos_counter_threshold twice. With full reset of counter after first hit. Source: 2.2.X->experimental rules
|-
| 960901
| 920270
| Invalid character in request
| cloning-confirmed
| @validateByteRange 1-255; there was a conditional rule with stricter byterange 32-126 in 2.2.X as well
|-
| 970003
| 951100
| none
| cloning-confirmed
| rule is only setting tx.sql_error_match. Could also trigger score directly
|-
| 950907
| 932100
| Remote Command Execution (RCE) Attempt
| cloning-confirmed
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| cloning-confirmed
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958980
| 933130
| PHP Injection Attack: Variables Found
| cloning-confirmed
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 950001
| 942150
| SQL Injection Attack
| cloning-confirmed
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 950907
| 932100
| System Command Injection
| dropped
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: false positives possible because of @pmf, file with short cmds. Discussion evolved about splitting the file, which everybody thinks is a good idea. But that would be outside the scope of the introduction of the paranoia mode. So the rule stays in the standard set of rules for the time being and will be split in the future [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001886.html Link to discussion]
|-
| 900050
| 910100
| Client IP is from a HIGH Risk Country Location.
| dropped
| Franziska's candidate: Do we want to exlude countries? But then easy to configure. Discussion pointed out this as an effective rule. We leave it in the standard rules, but provide an empty country list by default [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001951.html Link to discussion]. [https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/284 Separate pull request]
|-
| 960017
| 920350
| Host header is a numeric IP address
| dropped
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: low FP (almost all are mass scans); Discussion concluded that legitimate use of numeric IP addresses is rare. This is really mostly mass scanners. Rule will be kept in standard set of rules [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001888.html Link to discussion]
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| dropped
| Franziska's candidate: false positives possible because of @pmf, file with short function names. Maybe we should split the data file. The discussion revealed that splitting the data file in a clean way is very difficult. Walter Hop volunteered to rework the php rules completely. Chaim might join that effort.
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| dropped
| Franziska's candidate: false positives possible because of @pmf, file with short configuration directives. Splitting file? The discussion revealed that splitting the data file in a clean way is very difficult. Walter Hop volunteered to rework the php rules completely. Chaim might join that effort.
|}

===Rules from 2.2.X, missing in 3.0.0-rc1===

It looks as if only the base_rules made it into 3.0.0. In fact there are a few rule ids know from the optional and experimental rule folders in 2.2.X, but it is more likely, these are new 3.0.0 rules reusing old rule ids as the rules (regexes and msg) do not match at all.

When trying to generate the list below, be aware that the rule ids have been renumbered between 3.0.0-dev and 3.0.0-rc1. IdNumbering.csv in your friend.

====Base rules====

{|- class="wikitable"
|'''2.2.X rule id'''
|         '''msg'''       
|    '''remarks'''   
|-
| 950002
| System Command Access
|
|-
| 950006
| System Command Injection
|
|-
| 950007
| Blind SQL Injection Attack
|
|-
| 950008
| Injection of Undocumented ColdFusion Tags
|
|-
| 950010
| LDAP Injection Attack
|
|-
| 950011
| SSI injection Attack
|
|-
| 950018
| Universal PDF XSS URL Detected.
| Walter: medium FP (foo.pdf#javascript)
|-
| 950019
| Email Injection Attack
|
|-
| 950908
| SQL Injection Attack.
|
|-
| 950921
| Backdoor access
|
|-
| 950922
| Backdoor access
|
|-
| 958000
| Cross-site Scripting (XSS) Attack
|
|-
| 958001
| Cross-site Scripting (XSS) Attack
|
|-
| 958002
| Cross-site Scripting (XSS) Attack
|
|-
| 958003
| Cross-site Scripting (XSS) Attack
|
|-
| 958004
| Cross-site Scripting (XSS) Attack
|
|-
| 958005
| Cross-site Scripting (XSS) Attack
|
|-
| 958006
| Cross-site Scripting (XSS) Attack
|
|-
| 958007
| Cross-site Scripting (XSS) Attack
|
|-
| 958008
| Cross-site Scripting (XSS) Attack
|
|-
| 958009
| Cross-site Scripting (XSS) Attack
|
|-
| 958010
| Cross-site Scripting (XSS) Attack
|
|-
| 958011
| Cross-site Scripting (XSS) Attack
|
|-
| 958012
| Cross-site Scripting (XSS) Attack
|
|-
| 958013
| Cross-site Scripting (XSS) Attack
|
|-
| 958016
| Cross-site Scripting (XSS) Attack
|
|-
| 958017
| Cross-site Scripting (XSS) Attack
|
|-
| 958018
| Cross-site Scripting (XSS) Attack
|
|-
| 958019
| Cross-site Scripting (XSS) Attack
|
|-
| 958020
| Cross-site Scripting (XSS) Attack
|
|-
| 958022
| Cross-site Scripting (XSS) Attack
|
|-
| 958023
| Cross-site Scripting (XSS) Attack
|
|-
| 958024
| Cross-site Scripting (XSS) Attack
|
|-
| 958025
| Cross-site Scripting (XSS) Attack
|
|-
| 958026
| Cross-site Scripting (XSS) Attack
|
|-
| 958027
| Cross-site Scripting (XSS) Attack
|
|-
| 958028
| Cross-site Scripting (XSS) Attack
|
|-
| 958030
| Cross-site Scripting (XSS) Attack
|
|-
| 958031
| Cross-site Scripting (XSS) Attack
|
|-
| 958032
| Cross-site Scripting (XSS) Attack
|
|-
| 958033
| Cross-site Scripting (XSS) Attack
|
|-
| 958034
| Cross-site Scripting (XSS) Attack
|
|-
| 958036
| Cross-site Scripting (XSS) Attack
|
|-
| 958037
| Cross-site Scripting (XSS) Attack
|
|-
| 958038
| Cross-site Scripting (XSS) Attack
|
|-
| 958039
| Cross-site Scripting (XSS) Attack
|
|-
| 958040
| Cross-site Scripting (XSS) Attack
|
|-
| 958041
| Cross-site Scripting (XSS) Attack
|
|-
| 958045
| Cross-site Scripting (XSS) Attack
|
|-
| 958046
| Cross-site Scripting (XSS) Attack
|
|-
| 958047
| Cross-site Scripting (XSS) Attack
|
|-
| 958049
| Cross-site Scripting (XSS) Attack
|
|-
| 958051
| Cross-site Scripting (XSS) Attack
|
|-
| 958052
| Cross-site Scripting (XSS) Attack
|
|-
| 958054
| Cross-site Scripting (XSS) Attack
|
|-
| 958056
| Cross-site Scripting (XSS) Attack
|
|-
| 958057
| Cross-site Scripting (XSS) Attack
|
|-
| 958059
| Cross-site Scripting (XSS) Attack
|
|-
| 958291
| Range: field exists and begins with 0.
| Walter: high FP (Chrome PDF viewer) and not useful.
|-
| 958404
| Cross-site Scripting (XSS) Attack
|
|-
| 958405
| Cross-site Scripting (XSS) Attack
|
|-
| 958406
| Cross-site Scripting (XSS) Attack
|
|-
| 958407
| Cross-site Scripting (XSS) Attack
|
|-
| 958408
| Cross-site Scripting (XSS) Attack
|
|-
| 958409
| Cross-site Scripting (XSS) Attack
|
|-
| 958410
| Cross-site Scripting (XSS) Attack
|
|-
| 958411
| Cross-site Scripting (XSS) Attack
|
|-
| 958412
| Cross-site Scripting (XSS) Attack
|
|-
| 958413
| Cross-site Scripting (XSS) Attack
|
|-
| 958414
| Cross-site Scripting (XSS) Attack
|
|-
| 958415
| Cross-site Scripting (XSS) Attack
|
|-
| 958416
| Cross-site Scripting (XSS) Attack
|
|-
| 958417
| Cross-site Scripting (XSS) Attack
|
|-
| 958418
| Cross-site Scripting (XSS) Attack
|
|-
| 958419
| Cross-site Scripting (XSS) Attack
|
|-
| 958420
| Cross-site Scripting (XSS) Attack
|
|-
| 958421
| Cross-site Scripting (XSS) Attack
|
|-
| 958422
| Cross-site Scripting (XSS) Attack
|
|-
| 958423
| Cross-site Scripting (XSS) Attack
|
|-
| 958976
| PHP Injection Attack
|
|-
| 959070
| SQL Injection Attack
|
|-
| 959071
| SQL Injection Attack
|
|-
| 959072
| SQL Injection Attack
|
|-
| 959073
| SQL Injection Attack
|
|-
| 960014
| Proxy access attempt
|
|-
| 960018
| Invalid character in request
|
|-
| 960020
| Pragma Header requires Cache-Control Header for HTTP/1.1 requests.
| Walter: some FP
|-
| 960022
| UNKNOWN
|
|-
| 960024
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| Walter: many FP
|-
| 960902
| UNKNOWN
|
|-
| 960913
| Invalid request
|
|-
| 970007
| Zope Information Leakage
|
|-
| 970008
| Cold Fusion Information Leakage
|
|-
| 970010
| ISA server existence revealed
|
|-
| 970011
| File or Directory Names Leakage
|
|-
| 970012
| Microsoft Office document properties leakage
|
|-
| 970016
| Cold Fusion source code leakage
| Walter: some FP but not using this language
|-
| 970018
| IIS installed in default location
|
|-
| 970021
| WebLogic information disclosure
|
|-
| 970903
| ASP/JSP source code leakage
| Walter: some FP but not using this language
|-
| 973300
| Possible XSS Attack Detected - HTML Tag Handler
|
|-
| 973301
| XSS Attack Detected
|
|-
| 973302
| XSS Attack Detected
|
|-
| 973303
| XSS Attack Detected
|
|-
| 973304
| XSS Attack Detected
|
|-
| 973305
| XSS Attack Detected
|
|-
| 973306
| XSS Attack Detected
|
|-
| 973307
| XSS Attack Detected
|
|-
| 973308
| XSS Attack Detected
|
|-
| 973309
| XSS Attack Detected
|
|-
| 973310
| XSS Attack Detected
|
|-
| 973311
| XSS Attack Detected
|
|-
| 973312
| XSS Attack Detected
|
|-
| 973313
| XSS Attack Detected
|
|-
| 973314
| XSS Attack Detected
|
|-
| 973316
| IE XSS Filters - Attack Detected.
|
|-
| 973325
| IE XSS Filters - Attack Detected.
|
|-
| 973327
| IE XSS Filters - Attack Detected.
|
|-
| 973328
| IE XSS Filters - Attack Detected.
|
|-
| 973329
| IE XSS Filters - Attack Detected.
|
|-
| 973330
| IE XSS Filters - Attack Detected.
|
|-
| 973331
| IE XSS Filters - Attack Detected.
|
|-
| 973332
| IE XSS Filters - Attack Detected.
|
|-
| 973333
| IE XSS Filters - Attack Detected.
|
|-
| 973334
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973335
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973347
| IE XSS Filters - Attack Detected.
|
|-
| 981000
| Possibly malicious iframe tag in output
| Walter: medium FP
|-
| 981001
| Possibly malicious iframe tag in output
| Walter: medium FP (iframes with display:none)
|-
| 981003
| Malicious iframe+javascript tag in output
|
|-
| 981004
| Potential Obfuscated Javascript in Output - Excessive fromCharCode
| Walter: many FP (Wordpress 4.4 inlined emoji javascripts); folinic: Problem solved in WP: https://core.trac.wordpress.org/ticket/35412
|-
| 981005
| Potential Obfuscated Javascript in Output - Eval+Unescape
|
|-
| 981006
| Potential Obfuscated Javascript in Output - Unescape
|
|-
| 981007
| Potential Obfuscated Javascript in Output - Heap Spray
|
|-
| 981018
| UNKNOWN
|
|-
| 981022
| UNKNOWN
|
|-
| 981133
| UNKNOWN
|
|-
| 981134
| UNKNOWN
|
|-
| 981136
| UNKNOWN
|
|-
| 981172
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981173
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981177
| UNKNOWN
|
|-
| 981178
| UNKNOWN
|
|-
| 981231
| SQL Comment Sequence Detected.
|
|-
| 981260
| SQL Hex Encoding Identified
|
|-
| 981300
| UNKNOWN
|
|-
| 981301
| UNKNOWN
|
|-
| 981302
| UNKNOWN
|
|-
| 981303
| UNKNOWN
|
|-
| 981304
| UNKNOWN
|
|-
| 981305
| UNKNOWN
|
|-
| 981306
| UNKNOWN
|
|-
| 981307
| UNKNOWN
|
|-
| 981308
| UNKNOWN
|
|-
| 981309
| UNKNOWN
|
|-
| 981310
| UNKNOWN
|
|-
| 981311
| UNKNOWN
|
|-
| 981312
| UNKNOWN
|
|-
| 981313
| UNKNOWN
|
|-
| 981314
| UNKNOWN
|
|-
| 981315
| UNKNOWN
|
|-
| 981316
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 981317
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 990012
| Rogue web site crawler
|
|}

====Optional, experimental, slr rules====

{|- class="wikitable"
| 900048
| Identifies Reflected XSS (optional_rules)
| Walter: could be very interesting candidate but have not used it in production
|-
| 920021, 920022, 920023
| Possible Credit Card Track 1 Data Leakage. (experimental_rules)
| Walter: could be interesting candidates but have not used it in production
|-
| 981080, 920020, 920006
| Detect CC# in output and block transaction (optional_rules)
| Walter: could be interesting candidate but have not used it in production
|-
| 900047, 900048, 981180, 981182
| Identifies Stored XSS (optional_rules)
| Walter: could be somewhat interesting candidate but have not used it in production
|}

=== Stricter siblings for existing rules ===

Stricter Siblings are rules that are present in the CRS but could be accompanied by a stricter clone in Paranoia Mode. Adjustments can differ from rule to rule but include higher anomaly ratings or stricter triggers (e.g. regex counters). To prevent masses of false positives, rules can come with additional filters (chained rules) for common use-cases. These can either be included into Paranoia Mode or simply serve as a recommendation.

Note: To avoid a cluttered project main-page, rule proposals are documented in their respective sub-page. When adding new proposals, make sure adding the rules original (2.2.x) ID, a quick description of what changes were made, and, if applicable, which additional filters were added.

'''Possible siblings:'''

[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981173|981173 : SQL Injection Character Anomaly Usage]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981172|981172 : SQL Injection Character Anomaly Usage]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981049|981049 : Potential Denial of Service (DoS)]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_970003|970003 : SQL Error Leakage]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_960901|960901 : Invalid character in request]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_958980|958980 : PHP Injection Attack: Variables Found]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_958979|958979 : PHP Injection Attack: Configuration Directive Found]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_958977|958977 : PHP Injection Attack: Function Name Found]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_950907|950907 : Remote Command Execution (RCE) Attempt]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_950001|950001 : SQL Injection Attack]]

==Project Status==

===Project Status January 30, 2016===

<code>
Hello everybody,

It's time to do a status report of our little core rules project.

I am including Franziska Bühler and Walter Hop in this status mail.
Both are experienced ModSec sysadmins. Franziska contributed to this
first stage, Walter told me he does not have much time, but he
was interested in participating at least in the discussions about
the rules.

All in all, this is taking more time than anticipated. But we
have also done things very throughly than I thought. Which is
generally a good thing.

Done so far:
* Manuel has provided us with a list of rules removed between 2.2.x and 3.0.0rc1
* I have assembled a list of rules known to trigger false positives frequently in the 2.2.x ruleset, they are thus candidates for the paranoia mode
* Franziska has looked through the 3.0.0rc1 rules and identified a set of rules which look like good candidates.
* Noël has sharpened his skills by re-writing 981173 in a way that ignores innocent UUIDs. In my eyes, he found a very elegant solution.
* With the development of 3.0.0-dev, Chaim unfortunately reused rule ids formerly used with optional and experimental rules. Now this has all been renumbered. I have pointed this out in the mailinglist and had private contact with Chaim where he confirmed the fact - and promised to resolve the issue.

We have not really looked at the disappeared rules and identified those
who should be brought back and have not been picked so far. This
includes the 2.2.X base_rules, but also the optional, experimental,
and huge stock of slr rules. Of these three groups, only the
anti-ddos rules have made it into 3.0.0. There are probably more
interesting candidates.

If somebody among you wants to look into these, then that would be
welcome, but I do not want to have these tasks delay us any further.
After all, Old rules can also be brought back in subsequent releases
if we see a benefit.

So the next real tasks are:
* Looking through the list of candidates and cloning-candidates (the latter are those rules we might accompany with a clone with stricter limits in paranoia mode).
* Defining the exact working of the paranoia mode.

Please sit down and look through the rule lists in the wiki and add
remarks with regards to the candidate rules. If you think a rule
should be included, if you think an individual rule should not be
included etc.

I am also going to invite the people on the mailinglist to take look at
the rules as well and add their remarks in the wiki (or respond via mail).
This should allow us to nail down the list of rules which will
actually be included in the paranoia mode.

As for defining the exact working of the paranoia mode, I guess I
need to write down the idea I have in mind and see if it makes sense to
you.

Thank you for contributing so far! It is a lot of fun to work in a team!

Christian

</code>

==How to Perform Pull Request to a Branch of Master==

'''By Walter Hop'''

This example assumes that the Github username is 'lifeforms', replace with your own username.

'''Step 1. Create a Github fork of the original repository'''
* a. Browse to CRS: https://github.com/SpiderLabs/owasp-modsecurity-crs
* b. Click "Fork" button in the top right

'''Step 2. Download your Github fork, and checkout the correct branch ''' 
<code>
git clone git@github.com:lifeforms/owasp-modsecurity-crs.git 
cd owasp-modsecurity-crs 
git checkout v3.0.0-rc1 
</code>

'''Step 3. Add the original repository as upstream, to integrate new changes easily''' 
<code>
git remote add upstream git@github.com:SpiderLabs/owasp-modsecurity-crs.git
</code>

'''Step 4. Make sure your forked repo is up to date with changes in the original repository''' 
(You may only need to do this if somebody else worked on the original in the meantime)
<code>
git checkout v3.0.0-rc1 
git fetch upstream 
git merge upstream/v3.0.0-rc1 
git push 
</code>

'''Step 5. Optional: If you want to create multiple pull requests, then create a branch for every separate issue you'd like to fix.''' 
(Upstream can then select to accept and reject individual fixes) 
<code>
git checkout -b myfeature v3.0.0-rc1 
git push --set-upstream origin myfeature 
git remote set-branches --add origin myfeature 
</code>

'''Step 6. Make local changes and commit them''' 
<code>
git add ... 
git commit 
</code>

'''Step 7. Push your local changes to your fork at Github''' 
<code>
git push 
</code>

'''Step 8. Create the pull request'''
* a. Browse to your own fork: https://github.com/lifeforms/owasp-modsecurity-crs
* b. Click "New pull request" button
* c. In the "base fork", ensure that the correct branch is selected: v3.0.0-rc1
* d. In the "head fork", pick "myfeature" (if you used branches) or v3.0.0-rc1 (if you didn't)
* e. Review the content of the pull request (should only contain your commits)
* f. Press "Create pull request" button

===Resources===

* https://help.github.com/articles/fork-a-repo/
* https://help.github.com/articles/syncing-a-fork/
* https://help.github.com/articles/using-pull-requests/

[[Category:OWASP ModSecurity Core Rule Set Project]]

OWASP ModSec CRS Paranoia Mode Sibling 950001

2016-03-10T09:39:07Z

Zino: /* 950001 : SQL Injection Attack */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 950001 : SQL Injection Attack ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 950001
| 942150
| 942151-942154
| Rule now triggers on it's own
| none
|}

#
# -=[ SQL Function Names ]=-
#
# This is a paranoid sibling to 2.2.x Rule 950001.
# The rule is no longer chained in order to trigger anomaly scoring.
# For 3.0.0-rc1 rule, see 942150.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf sql-function-names.data" \
"msg:'SQL Injection Attack',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/2.2.6',\
maturity:'9',\
accuracy:'8',\
capture,\
t:none,t:urlDecodeUni,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-mutli',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL'
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

[[Category:OWASP ModSecurity Core Rule Set Project]]

OWASP ModSec CRS Paranoia Mode Sibling 950907

2016-03-10T09:36:32Z

Zino: /* 950907 : OS Command Injection Attacks */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 950907 : OS Command Injection Attacks ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 950907
| 932100
| 932101-932104
| Rule now triggers on it's own
| none
|}

#
# OS Command Injection Attacks
#
# This is a paranoid sibling to 2.2.x Rule 950907.
# The rule is no longer chained in order to trigger anomaly scoring.
# For 3.0.0-rc1 rule, see 932100.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf os-commands.data" \
"msg:'Remote Command Execution (RCE) Attempt',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'8',\
t:none,t:normalisePath,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-remote code execution',\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
tag:'WASCTC/WASC-31',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"

[[Category:OWASP ModSecurity Core Rule Set Project]]

OWASP ModSec CRS Paranoia Mode Sibling 958977

2016-03-10T09:33:59Z

Zino: /* 958977 : PHP Injection Attack: Configuration Directive Found */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 958977 : PHP Injection Attack: Function Name Found ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 958977
| 933110
| 933111-933114
| Rule now triggers on it's own
| none
|}

#
# [ PHP Function Names ]
#
# This is a paranoid sibling to 2.2.x Rule 958977.
# The rule is no longer chained in order to trigger anomaly scoring.
# For 3.0.0-rc1 rule, see 933110.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names.data" \
"msg:'PHP Injection Attack: Function Name Found',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'1',\
accuracy:'8',\
t:none,t:normalisePath,t:urldecode,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-PHP',\
tag:'platform-multi',\
tag:'attack-PHP injection',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"

[[Category:OWASP ModSecurity Core Rule Set Project]]

OWASP ModSec CRS Paranoia Mode Sibling 958977

2016-03-10T09:31:34Z

Zino: /* 958977 : PHP Injection Attack: Configuration Directive Found */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 958977 : PHP Injection Attack: Configuration Directive Found ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 958977
| 933110
| 933111-933114
| Rule now triggers on it's own
| none
|}

#
# [ PHP Function Names ]
#
# This is a paranoid sibling to 2.2.x Rule 958977.
# The rule is no longer chained in order to trigger anomaly scoring.
# For 3.0.0-rc1 rule, see 933110.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names.data" \
"msg:'PHP Injection Attack: Function Name Found',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'1',\
accuracy:'8',\
t:none,t:normalisePath,t:urldecode,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-PHP',\
tag:'platform-multi',\
tag:'attack-PHP injection',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"

[[Category:OWASP ModSecurity Core Rule Set Project]]

OWASP ModSec CRS Paranoia Mode Sibling 958979

2016-03-10T09:29:26Z

Zino: /* 958979 : PHP Injection Attack: Configuration Directive Found */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 958979 : PHP Injection Attack: Configuration Directive Found ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 958979
| 933120
| 933121-933124
| Rule now triggers on it's own
| none
|}

#
# [ PHP Configuration Directives ]
#
# This is a paranoid sibling to 2.2.x Rule 958979.
# The rule is no longer chained in order to trigger anomaly scoring.
# For 3.0.0-rc1 rule, see 933120.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-config-directives.data" \
"msg:'PHP Injection Attack: Configuration Directive Found',\
phase:request,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'1',\
accuracy:'8',\
t:none,t:normalisePath,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-PHP',\
tag:'platform-multi',\
tag:'attack-PHP injection',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"

OWASP ModSec CRS Paranoia Mode Sibling 958980

2016-03-10T09:26:12Z

Zino: /* 958980 : PHP Injection Attack: Variables Found */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 958980 : PHP Injection Attack: Variables Found ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 958980
| 933130
| 933131-933134
| Rule now triggers on it's own
| none
|}

#
# [ PHP Variables ]
#
# This is a paranoid sibling to 2.2.x Rule 958980.
# The rule is no longer chained in order to trigger anomaly scoring.
# For 3.0.0-rc1 rule, see 933130.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-variables.data" \
"msg:'PHP Injection Attack: Variables Found',\
phase:request,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'1',\
accuracy:'8',\
t:none,t:normalisePath,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-PHP',\
tag:'platform-multi',\
tag:'attack-PHP injection',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"

[[Category:OWASP ModSecurity Core Rule Set Project]]

OWASP ModSec CRS Paranoia Mode Sibling 960901

2016-03-10T09:12:39Z

Zino: /* 960901 : Invalid character in request */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 960901 : Invalid character in request ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 960901
| 920270
| 920271-920274
| Character byte range limited to 32-126.
| none
|}

#
# [ Invalid character in request ]
#
# This is a paranoid sibling to 2.2.x Rule 960901.
# Byte range restrictions are now set to 32-126.
# For 3.0.0-rc1 rule, see 920270.
#
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateByteRange 32-126" \
"phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'9',\
block,\
msg:'Invalid character in request',\
id:'XXXXXX',\
severity:'ERROR',\
t:none,t:urlDecodeUni,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"

[[Category:OWASP ModSecurity Core Rule Set Project]]

OWASP ModSec CRS Paranoia Mode Sibling 960901

2016-03-10T09:09:47Z

Zino: /* 960901 : Invalid character in request */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 960901 : Invalid character in request ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 960901
| 920270
| 920271-920274
| Character byte range limited to 32-126.
| none
|}

#
# [ Invalid character in request ]
#
# This is a paranoid sibling to 2.2.x Rule 960901.
# Byte range restrictions are now set to 32-126.
# For unadapted 3.0.0 Rule see Rule ID 920270.
#
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateByteRange 32-126" \
"phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'9',\
block,\
msg:'Invalid character in request',\
id:'XXXXXX',\
severity:'ERROR',\
t:none,t:urlDecodeUni,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"

[[Category:OWASP ModSecurity Core Rule Set Project]]

OWASP ModSec CRS Paranoia Mode Sibling 970003

2016-03-10T08:49:30Z

Zino: /* 970003 : SQL Error Leakage */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 970003 : SQL Error Leakage ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 970003
| 951100
| 951101-951104
| Triggers anomaly score directly now
| none
|}

#
# -=[ SQL Error Leakage ]=-
#
# This is a paranoid sibling to 2.2.9 Rule 970003.
# The rule now triggers the anomaly scoring instantly
# instead of just setting tx.sql_error_match.
# For 3.0.0-rc1 rule, see 951100.
#
SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
"phase:response,\
id:XXXXXX,\
rev:'5',\
ver:'OWASP_CRS/3.0.0',\
pass,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-information disclosure',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
t:none"

[[Category:OWASP ModSecurity Core Rule Set Project]]

OWASP ModSec CRS Paranoia Mode Sibling 981172

2016-03-10T08:44:25Z

Zino: /* 981172 : SQL Injection Character Anomaly Usage */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 981172 : SQL Injection Character Anomaly Usage ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 981172
| tbd
| tbd
| Regex counter decreased from 8 to 2. Anomaly scoring increased to critical.
| None
|}

#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.9 Rule 981172.
# The regex limit is set to '2' and the anomaly scoring is increased to 'critical'.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES "([\~\!\@\#\$\%\^\&\*\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){2,}"
"capture,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level Z',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1,\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"

[[Category:OWASP ModSecurity Core Rule Set Project]]

OWASP ModSec CRS Paranoia Mode Sibling 981173

2016-03-10T07:24:02Z

Zino: /* 981173 : SQL Injection Character Anomaly Usage */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 981173 : SQL Injection Character Anomaly Usage ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 981173
| tbd
| tbd
| Regex counter decreased from 4 to 1. Anomaly scoring increased to critical.
| Regex for UUIDs in chained Rule
|}

#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.x Rule 981173.
# The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
# For dealing with false positives, UUID format is whitelisted with a chained rule.
# For 3.0.0-rc1 rule, see FIXME.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level Z',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"

[[Category:OWASP ModSecurity Core Rule Set Project]]

OWASP ModSec CRS Paranoia Mode Sibling 981049

2016-03-10T07:21:44Z

Zino: /* 981049 : Potential Denial of Service (DoS) */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 981049 : Potential Denial of Service (DoS) ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 981049
| 912100
| 912101-912104
| Operator match decreased form 2 to 1. ''Optional: change tx.dos_burst_time_slice, tx.dos_counter_threshold and/or tx.dos_block_timeout''
| None
|}

#
# -=[ Potential Denial of Service (DoS) ]=-
#
# This is a paranoid sibling to 2.2.9 Experimental Rule 981049.
# The rule now triggers after the first burst instead of the second.
# For 3.0.0-rc1 rule, see 912100.
#
SecRule IP:DOS_BURST_COUNTER "@ge 1"
"phase:logging,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,\
log,\
msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts:%{ip.dos_burst_counter}',\
id:'XXXXXX',\
tag:'FIXME Filler for attacktype',\
tag:'Paranoia rule on level Z',\
setvar:ip.dos_block=1,\
expirevar:ip.dos_block=%{tx.dos_block_timeout},\
pass"

=== Notes ===

This rule can not be implemented as is. Rules 981044 - 981048 from ''owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf'' need to be integrated to allow proper blocking. There should be no need to adjust these rules for desired effects.

Also note that more Paranoia tuning can be done by adjusting the DoS Protection variable values in your main configuration (e.g. modsecurity_crs_10_setup.conf).

#
# -- <nowiki>[[ DoS Protection ]]</nowiki> ----------------------------------------------------------------
#
# This is a Paranoia Mode Clone.
# Adjust the following variables to fine tune paranoia level.
#
# - Burst Time Slice Interval: time interval window to monitor for bursts
# - Request Threshold: request # threshold to trigger a burst
# - Block Period: temporary block timeout
#
SecAction \
"id:XXXXXX',\
phase:request,\
t:none,\
setvar:'tx.dos_burst_time_slice=90',\
setvar:'tx.dos_counter_threshold=50',\
setvar:'tx.dos_block_timeout=600',\
nolog,\
pass"

[[Category:OWASP ModSecurity Core Rule Set Project]]

OWASP ModSec CRS Paranoia Mode

2016-03-06T19:42:28Z

Zino: /* Sub-Project Infos */

==Abstract==

This is a page about the development of a paranoia mode aka bringing back the rules that used to yield a high number of false positives. This little project is aimed at inclusion into the 3.0.0 release of the OWASP ModSecurity Core Rules, where some rules have been removed in order to reduce the number of false positives with vanilla installations.

FIXME: Detailed description

''Back to the [https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project OWASP ModSecurity Core Rules Set].''

==Sub-Project Infos==

* '''Status''': active (January 2016)
* '''Schedule''': Pull request in <strike>January</strike>February 2016
* '''Who''': Christian Folini (dune73), Noël Zindel (zino), Franziska Bühler (franziskabuehler), Manuel Leos (Spartan), Walter Hop (lifeforms)
* '''Documentation''': Here on the [https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode OWASP Wiki] / [https://www.netnea.com/cms/2016/02/04/owasp-modsecurity-core-rules-paranoia-mode-mechanics-proposal/ Mechanics Proposal]
* '''Discussion / Archive''': <tt>owasp-modsecurity-core-rule-set@lists.owasp.org</tt> / archive: http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/
* '''Github Link v3.0.0-rc1 (our base)''': https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc1
* '''Github Link paranoia-mode''': https://github.com/dune73/owasp-modsecurity-crs/tree/paranoia-mode
* '''Final Pull Request #1: Add paranoia mode mechanics''': https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/292
* '''Final Pull Request #2: Move first rules to paranoia mode''': https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/300
* '''Final Pull Request #3: Add 2.2.X rules to paranoia mode''': FIXME
* '''Final Pull Request #4: Add stricter siblings''': FIXME

==Tasks==

===Open Tasks===

Please define state as follows: ''new'', ''assigned'', ''waiting'', ''closed''. When a task it is closed, it is moved to the seperate closed tasks table below.

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Write new stricter siblings for existing rules
| Noël
| assigned
|-
| Define ID-space for strict siblings
| n.n.
| new
|-
| Sort out mechanics of the paranoia mode
| Christian
| assigned
|-
| Define exact syntax of paranoia mode setup
| Christian
| waiting
|-
| Sort out name: Is "Paranoia Mode" really the right term?
| Christian
| waiting
|-
| Write pull request
| n.n.
| new
|-
| Submit pull request
| n.n.
| new
|-
| Draw flowchart
| n.n.
| new
|-
| Write documentation
| n.n.
| new
|}

===Closed Tasks===

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Assemble list of rules, which triggered false positives in 2.2.X frequently
| Christian
| closed
|-
| Assemble list of 2.2.x rules, which have disappeared from 3.0.0-rc1
| Spartan
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be accompanied with stricter siblings in paranoia mode (same idea of the rule, but harder limit etc.)
| Christian
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be moved to the paranoia mode
| Franziska
| closed
|-
| Assemble list of disappeared / missing 2.2.X base_rules, which should be brought back
| group
| closed
|-
| Assemble list of 2.2.X optional and experimental rules, which should be brought back
| group
| closed (could be repeated more throughly)
|-
| Nail down final list of rules which should be moved / recreated into the paranoia mode
| group
| closed
|}

==Rules==

===Paranoia Mode Candidates===

The 3.0.0-rc1 has all rules renumbered. Existing numbering was fairly crazy and the new numbering follows the numbering scheme of the rules files (-> 9<2-digit-rulefile><3-digit-id>)
A mapping table exists [[https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/id_renumbering/IdNumbering.csv IdNumbering.csv]]
We need to make sure, we do not mess things up, so let's add both IDs to the table, the old one and the new one.

Please set status as follows : ''confirmed'',''candidate'', ''cloning-confirmed'',''cloning-candidate'', ''unsure'', ''dropped''.
* 'cloning-confirmed', 'cloning-candidates' are rules, that could be cloned into an even stricter variant with a stricter limit in a higher paranoia setting.
* If dropped, please provide reasoning in the remarks.

{|- class="wikitable"
|'''RuleID 2.2.x'''
|'''RuleID 3.0.0-rc1'''
|         '''msg'''       
|    '''Status'''   
|    '''Remarks'''   
|-
| 950001
| 942150
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: @pmf file with very short function names, could match frequently.
|-
| 950109
| 920230
| Multiple URL Encoding Detected
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 950120
| 931130
| Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
| confirmed
| Walter's 2.2.X candidate: many FP; Chrstian: hardly any FPs; discussion concluded, that rule should end up in paranoia mode, possibly with additional conditions to reduce FPs (scope outside of this paranoia mode project) [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001885.html Link to discussion]
|-
| 960335
| 920380
| Too many arguments in request
| confirmed
| Walter's 2.2.X candidate: some FP (phpMyAdmin, large forms), alternatively would recommend raising <code>tx.max_num_args</code> to 1000
|-
| 950901
| 942130
| SQL Injection Attack: SQL Tautology Detected.
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: legitimate sentences could match. Walter's 2.2.x experience: many FP in natural text however the rule seems to have merit
|-
| 950916
| 921170
| HTTP Header Injection Attack via payload (CR/LF detected)
| confirmed
| Franziska's candidate: change action from pass to block and move to paranoia mode.
|-
| 959070
| gone
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 959071
| gone
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 959072
| gone
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 959073
| gone
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: very frequently false positives
|-
| 960015
| 920300
| Request Missing an Accept Header
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: many FP (PHP SoapClient) Discussion concluded it's moved to paranoia mode. [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001888.html Link to discussion] Spartan: Many mobile devices do not send this header, very high FP.
|-
| 960024
| gone
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| confirmed
| Christian's 2.2.X experience: very frequently false positives
|-
| 960035
| 920440
| URL file extension is restricted by policy
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 970901
| 950100
| The Application Returned a 500-Level Status Code
| confirmed
| Franziska's candidate: too strict, too generic, no data leakage happened so far. Walter: it's useful however to prevent attacker from distinguishing between a failed SQLi attempt (403 blocked by ModSec) or a query error due to vulnerable app (500 from application); Discussion resolved with move to paranoia mode. 403 will cloak a backend error, which is hard for an inexperienced admin and thus complicates things in standard installations [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001889.html Link to discussion]
|-
| 973300
| gone
| Possible XSS Attack Detected - HTML Tag Handler
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973332
| gone
| IE XSS Filters - Attack Detected.
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973333
| gone
| IE XSS Filters - Attack Detected.
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981172
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981173
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981231
| gone
| SQL Comment Sequence Detected.
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP but rule seems useful
|-
| 981240
| 942300
| Detects MySQL comments, conditions and ch(a)r injections
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981242
| 942330
| Detects classic SQL injection probings 1/2
| confirmed
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: one quote character already matches?? Walter: low FP, but seen in cookies injected by some US ISPs;
|-
| 981243
| 942370
| Detects classic SQL injection probings 2/2
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: medium FP
|-
| 981244
| 942180
| Detects basic SQL authentication bypass attempts 1/3
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP; discussion did not bring up additional arguments. Moving to paranoia mode [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001890.html Link to discussion]
|-
| 981245
| 942260
| Detects basic SQL authentication bypass attempts 2/3
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981246
| 942340
| Detects basic SQL authentication bypass attempts 3/3
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981248
| 942210
| Detects chained SQL injection attempts 1/2
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: low FP, discussion did not bring up any additional arguments. Moving to paranoia mode [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001890.html Link to discussion]
|-
| 981249
| 942310
| Detects chained SQL injection attempts 2/2
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP but seen in very specific situations
|-
| 981257
| 942200
| Detects MySQL comment-/space-obfuscated injections and backtick termination
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981260
| gone
| SQL Hex Encoding Identified
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP in long random strings
|-
| 981318
| 942110
| SQL Injection Attack: Common Injection Testing Detected
| confirmed
| Franziska's candidate: one quote character at the beginning/end really not legitimate? Walter 2.2.X candidate: frequent FP
|-
| 981319
| 942120
| SQL Injection Attack: SQL Operator Detected
| confirmed
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: very short operators or strings already match. Walter: some FP (WooCommerce)
|-
| 981049
| 912100
| Potential Denial of Service (DoS) Attack from ... - # of Request Bursts: ...
| cloning-confirmed
| limit currently at 2; could be set to 1; now, the attacker has to exceed dos_counter_threshold twice. With full reset of counter after first hit. Source: 2.2.X->experimental rules
|-
| 960901
| 920270
| Invalid character in request
| cloning-confirmed
| @validateByteRange 1-255; there was a conditional rule with stricter byterange 32-126 in 2.2.X as well
|-
| 970003
| 951100
| none
| cloning-confirmed
| rule is only setting tx.sql_error_match. Could also trigger score directly
|-
| 950907
| 932100
| Remote Command Execution (RCE) Attempt
| cloning-confirmed
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| cloning-confirmed
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958980
| 933130
| PHP Injection Attack: Variables Found
| cloning-confirmed
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 950001
| 942150
| SQL Injection Attack
| cloning-confirmed
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 950907
| 932100
| System Command Injection
| dropped
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: false positives possible because of @pmf, file with short cmds. Discussion evolved about splitting the file, which everybody thinks is a good idea. But that would be outside the scope of the introduction of the paranoia mode. So the rule stays in the standard set of rules for the time being and will be split in the future [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001886.html Link to discussion]
|-
| 900050
| 910100
| Client IP is from a HIGH Risk Country Location.
| dropped
| Franziska's candidate: Do we want to exlude countries? But then easy to configure. Discussion pointed out this as an effective rule. We leave it in the standard rules, but provide an empty country list by default [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001951.html Link to discussion]. [https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/284 Separate pull request]
|-
| 960017
| 920350
| Host header is a numeric IP address
| dropped
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: low FP (almost all are mass scans); Discussion concluded that legitimate use of numeric IP addresses is rare. This is really mostly mass scanners. Rule will be kept in standard set of rules [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001888.html Link to discussion]
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| dropped
| Franziska's candidate: false positives possible because of @pmf, file with short function names. Maybe we should split the data file. The discussion revealed that splitting the data file in a clean way is very difficult. Walter Hop volunteered to rework the php rules completely. Chaim might join that effort.
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| dropped
| Franziska's candidate: false positives possible because of @pmf, file with short configuration directives. Splitting file? The discussion revealed that splitting the data file in a clean way is very difficult. Walter Hop volunteered to rework the php rules completely. Chaim might join that effort.
|}

===Rules from 2.2.X, missing in 3.0.0-rc1===

It looks as if only the base_rules made it into 3.0.0. In fact there are a few rule ids know from the optional and experimental rule folders in 2.2.X, but it is more likely, these are new 3.0.0 rules reusing old rule ids as the rules (regexes and msg) do not match at all.

When trying to generate the list below, be aware that the rule ids have been renumbered between 3.0.0-dev and 3.0.0-rc1. IdNumbering.csv in your friend.

====Base rules====

{|- class="wikitable"
|'''2.2.X rule id'''
|         '''msg'''       
|    '''remarks'''   
|-
| 950002
| System Command Access
|
|-
| 950006
| System Command Injection
|
|-
| 950007
| Blind SQL Injection Attack
|
|-
| 950008
| Injection of Undocumented ColdFusion Tags
|
|-
| 950010
| LDAP Injection Attack
|
|-
| 950011
| SSI injection Attack
|
|-
| 950018
| Universal PDF XSS URL Detected.
| Walter: medium FP (foo.pdf#javascript)
|-
| 950019
| Email Injection Attack
|
|-
| 950908
| SQL Injection Attack.
|
|-
| 950921
| Backdoor access
|
|-
| 950922
| Backdoor access
|
|-
| 958000
| Cross-site Scripting (XSS) Attack
|
|-
| 958001
| Cross-site Scripting (XSS) Attack
|
|-
| 958002
| Cross-site Scripting (XSS) Attack
|
|-
| 958003
| Cross-site Scripting (XSS) Attack
|
|-
| 958004
| Cross-site Scripting (XSS) Attack
|
|-
| 958005
| Cross-site Scripting (XSS) Attack
|
|-
| 958006
| Cross-site Scripting (XSS) Attack
|
|-
| 958007
| Cross-site Scripting (XSS) Attack
|
|-
| 958008
| Cross-site Scripting (XSS) Attack
|
|-
| 958009
| Cross-site Scripting (XSS) Attack
|
|-
| 958010
| Cross-site Scripting (XSS) Attack
|
|-
| 958011
| Cross-site Scripting (XSS) Attack
|
|-
| 958012
| Cross-site Scripting (XSS) Attack
|
|-
| 958013
| Cross-site Scripting (XSS) Attack
|
|-
| 958016
| Cross-site Scripting (XSS) Attack
|
|-
| 958017
| Cross-site Scripting (XSS) Attack
|
|-
| 958018
| Cross-site Scripting (XSS) Attack
|
|-
| 958019
| Cross-site Scripting (XSS) Attack
|
|-
| 958020
| Cross-site Scripting (XSS) Attack
|
|-
| 958022
| Cross-site Scripting (XSS) Attack
|
|-
| 958023
| Cross-site Scripting (XSS) Attack
|
|-
| 958024
| Cross-site Scripting (XSS) Attack
|
|-
| 958025
| Cross-site Scripting (XSS) Attack
|
|-
| 958026
| Cross-site Scripting (XSS) Attack
|
|-
| 958027
| Cross-site Scripting (XSS) Attack
|
|-
| 958028
| Cross-site Scripting (XSS) Attack
|
|-
| 958030
| Cross-site Scripting (XSS) Attack
|
|-
| 958031
| Cross-site Scripting (XSS) Attack
|
|-
| 958032
| Cross-site Scripting (XSS) Attack
|
|-
| 958033
| Cross-site Scripting (XSS) Attack
|
|-
| 958034
| Cross-site Scripting (XSS) Attack
|
|-
| 958036
| Cross-site Scripting (XSS) Attack
|
|-
| 958037
| Cross-site Scripting (XSS) Attack
|
|-
| 958038
| Cross-site Scripting (XSS) Attack
|
|-
| 958039
| Cross-site Scripting (XSS) Attack
|
|-
| 958040
| Cross-site Scripting (XSS) Attack
|
|-
| 958041
| Cross-site Scripting (XSS) Attack
|
|-
| 958045
| Cross-site Scripting (XSS) Attack
|
|-
| 958046
| Cross-site Scripting (XSS) Attack
|
|-
| 958047
| Cross-site Scripting (XSS) Attack
|
|-
| 958049
| Cross-site Scripting (XSS) Attack
|
|-
| 958051
| Cross-site Scripting (XSS) Attack
|
|-
| 958052
| Cross-site Scripting (XSS) Attack
|
|-
| 958054
| Cross-site Scripting (XSS) Attack
|
|-
| 958056
| Cross-site Scripting (XSS) Attack
|
|-
| 958057
| Cross-site Scripting (XSS) Attack
|
|-
| 958059
| Cross-site Scripting (XSS) Attack
|
|-
| 958291
| Range: field exists and begins with 0.
| Walter: high FP (Chrome PDF viewer) and not useful.
|-
| 958404
| Cross-site Scripting (XSS) Attack
|
|-
| 958405
| Cross-site Scripting (XSS) Attack
|
|-
| 958406
| Cross-site Scripting (XSS) Attack
|
|-
| 958407
| Cross-site Scripting (XSS) Attack
|
|-
| 958408
| Cross-site Scripting (XSS) Attack
|
|-
| 958409
| Cross-site Scripting (XSS) Attack
|
|-
| 958410
| Cross-site Scripting (XSS) Attack
|
|-
| 958411
| Cross-site Scripting (XSS) Attack
|
|-
| 958412
| Cross-site Scripting (XSS) Attack
|
|-
| 958413
| Cross-site Scripting (XSS) Attack
|
|-
| 958414
| Cross-site Scripting (XSS) Attack
|
|-
| 958415
| Cross-site Scripting (XSS) Attack
|
|-
| 958416
| Cross-site Scripting (XSS) Attack
|
|-
| 958417
| Cross-site Scripting (XSS) Attack
|
|-
| 958418
| Cross-site Scripting (XSS) Attack
|
|-
| 958419
| Cross-site Scripting (XSS) Attack
|
|-
| 958420
| Cross-site Scripting (XSS) Attack
|
|-
| 958421
| Cross-site Scripting (XSS) Attack
|
|-
| 958422
| Cross-site Scripting (XSS) Attack
|
|-
| 958423
| Cross-site Scripting (XSS) Attack
|
|-
| 958976
| PHP Injection Attack
|
|-
| 959070
| SQL Injection Attack
|
|-
| 959071
| SQL Injection Attack
|
|-
| 959072
| SQL Injection Attack
|
|-
| 959073
| SQL Injection Attack
|
|-
| 960014
| Proxy access attempt
|
|-
| 960018
| Invalid character in request
|
|-
| 960020
| Pragma Header requires Cache-Control Header for HTTP/1.1 requests.
| Walter: some FP
|-
| 960022
| UNKNOWN
|
|-
| 960024
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| Walter: many FP
|-
| 960902
| UNKNOWN
|
|-
| 960913
| Invalid request
|
|-
| 970007
| Zope Information Leakage
|
|-
| 970008
| Cold Fusion Information Leakage
|
|-
| 970010
| ISA server existence revealed
|
|-
| 970011
| File or Directory Names Leakage
|
|-
| 970012
| Microsoft Office document properties leakage
|
|-
| 970016
| Cold Fusion source code leakage
| Walter: some FP but not using this language
|-
| 970018
| IIS installed in default location
|
|-
| 970021
| WebLogic information disclosure
|
|-
| 970903
| ASP/JSP source code leakage
| Walter: some FP but not using this language
|-
| 973300
| Possible XSS Attack Detected - HTML Tag Handler
|
|-
| 973301
| XSS Attack Detected
|
|-
| 973302
| XSS Attack Detected
|
|-
| 973303
| XSS Attack Detected
|
|-
| 973304
| XSS Attack Detected
|
|-
| 973305
| XSS Attack Detected
|
|-
| 973306
| XSS Attack Detected
|
|-
| 973307
| XSS Attack Detected
|
|-
| 973308
| XSS Attack Detected
|
|-
| 973309
| XSS Attack Detected
|
|-
| 973310
| XSS Attack Detected
|
|-
| 973311
| XSS Attack Detected
|
|-
| 973312
| XSS Attack Detected
|
|-
| 973313
| XSS Attack Detected
|
|-
| 973314
| XSS Attack Detected
|
|-
| 973316
| IE XSS Filters - Attack Detected.
|
|-
| 973325
| IE XSS Filters - Attack Detected.
|
|-
| 973327
| IE XSS Filters - Attack Detected.
|
|-
| 973328
| IE XSS Filters - Attack Detected.
|
|-
| 973329
| IE XSS Filters - Attack Detected.
|
|-
| 973330
| IE XSS Filters - Attack Detected.
|
|-
| 973331
| IE XSS Filters - Attack Detected.
|
|-
| 973332
| IE XSS Filters - Attack Detected.
|
|-
| 973333
| IE XSS Filters - Attack Detected.
|
|-
| 973334
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973335
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973347
| IE XSS Filters - Attack Detected.
|
|-
| 981000
| Possibly malicious iframe tag in output
| Walter: medium FP
|-
| 981001
| Possibly malicious iframe tag in output
| Walter: medium FP (iframes with display:none)
|-
| 981003
| Malicious iframe+javascript tag in output
|
|-
| 981004
| Potential Obfuscated Javascript in Output - Excessive fromCharCode
| Walter: many FP (Wordpress 4.4 inlined emoji javascripts); folinic: Problem solved in WP: https://core.trac.wordpress.org/ticket/35412
|-
| 981005
| Potential Obfuscated Javascript in Output - Eval+Unescape
|
|-
| 981006
| Potential Obfuscated Javascript in Output - Unescape
|
|-
| 981007
| Potential Obfuscated Javascript in Output - Heap Spray
|
|-
| 981018
| UNKNOWN
|
|-
| 981022
| UNKNOWN
|
|-
| 981133
| UNKNOWN
|
|-
| 981134
| UNKNOWN
|
|-
| 981136
| UNKNOWN
|
|-
| 981172
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981173
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981177
| UNKNOWN
|
|-
| 981178
| UNKNOWN
|
|-
| 981231
| SQL Comment Sequence Detected.
|
|-
| 981260
| SQL Hex Encoding Identified
|
|-
| 981300
| UNKNOWN
|
|-
| 981301
| UNKNOWN
|
|-
| 981302
| UNKNOWN
|
|-
| 981303
| UNKNOWN
|
|-
| 981304
| UNKNOWN
|
|-
| 981305
| UNKNOWN
|
|-
| 981306
| UNKNOWN
|
|-
| 981307
| UNKNOWN
|
|-
| 981308
| UNKNOWN
|
|-
| 981309
| UNKNOWN
|
|-
| 981310
| UNKNOWN
|
|-
| 981311
| UNKNOWN
|
|-
| 981312
| UNKNOWN
|
|-
| 981313
| UNKNOWN
|
|-
| 981314
| UNKNOWN
|
|-
| 981315
| UNKNOWN
|
|-
| 981316
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 981317
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 990012
| Rogue web site crawler
|
|}

====Optional, experimental, slr rules====

{|- class="wikitable"
| 900048
| Identifies Reflected XSS (optional_rules)
| Walter: could be very interesting candidate but have not used it in production
|-
| 920021, 920022, 920023
| Possible Credit Card Track 1 Data Leakage. (experimental_rules)
| Walter: could be interesting candidates but have not used it in production
|-
| 981080, 920020, 920006
| Detect CC# in output and block transaction (optional_rules)
| Walter: could be interesting candidate but have not used it in production
|-
| 900047, 900048, 981180, 981182
| Identifies Stored XSS (optional_rules)
| Walter: could be somewhat interesting candidate but have not used it in production
|}

=== Stricter siblings for existing rules ===

Stricter Siblings are rules that are present in the CRS but could be accompanied by a stricter clone in Paranoia Mode. Adjustments can differ from rule to rule but include higher anomaly ratings or stricter triggers (e.g. regex counters). To prevent masses of false positives, rules can come with additional filters (chained rules) for common use-cases. These can either be included into Paranoia Mode or simply serve as a recommendation.

Note: To avoid a cluttered project main-page, rule proposals are documented in their respective sub-page. When adding new proposals, make sure adding the rules original (2.2.x) ID, a quick description of what changes were made, and, if applicable, which additional filters were added.

'''Possible siblings:'''

[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981173|981173 : SQL Injection Character Anomaly Usage]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981172|981172 : SQL Injection Character Anomaly Usage]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981049|981049 : Potential Denial of Service (DoS)]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_970003|970003 : SQL Error Leakage]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_960901|960901 : Invalid character in request]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_958980|958980 : PHP Injection Attack: Variables Found]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_958979|958979 : PHP Injection Attack: Configuration Directive Found]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_958977|958977 : PHP Injection Attack: Function Name Found]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_950907|950907 : Remote Command Execution (RCE) Attempt]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_950001|950001 : SQL Injection Attack]]

==Project Status==

===Project Status January 30, 2016===

<code>
Hello everybody,

It's time to do a status report of our little core rules project.

I am including Franziska Bühler and Walter Hop in this status mail.
Both are experienced ModSec sysadmins. Franziska contributed to this
first stage, Walter told me he does not have much time, but he
was interested in participating at least in the discussions about
the rules.

All in all, this is taking more time than anticipated. But we
have also done things very throughly than I thought. Which is
generally a good thing.

Done so far:
* Manuel has provided us with a list of rules removed between 2.2.x and 3.0.0rc1
* I have assembled a list of rules known to trigger false positives frequently in the 2.2.x ruleset, they are thus candidates for the paranoia mode
* Franziska has looked through the 3.0.0rc1 rules and identified a set of rules which look like good candidates.
* Noël has sharpened his skills by re-writing 981173 in a way that ignores innocent UUIDs. In my eyes, he found a very elegant solution.
* With the development of 3.0.0-dev, Chaim unfortunately reused rule ids formerly used with optional and experimental rules. Now this has all been renumbered. I have pointed this out in the mailinglist and had private contact with Chaim where he confirmed the fact - and promised to resolve the issue.

We have not really looked at the disappeared rules and identified those
who should be brought back and have not been picked so far. This
includes the 2.2.X base_rules, but also the optional, experimental,
and huge stock of slr rules. Of these three groups, only the
anti-ddos rules have made it into 3.0.0. There are probably more
interesting candidates.

If somebody among you wants to look into these, then that would be
welcome, but I do not want to have these tasks delay us any further.
After all, Old rules can also be brought back in subsequent releases
if we see a benefit.

So the next real tasks are:
* Looking through the list of candidates and cloning-candidates (the latter are those rules we might accompany with a clone with stricter limits in paranoia mode).
* Defining the exact working of the paranoia mode.

Please sit down and look through the rule lists in the wiki and add
remarks with regards to the candidate rules. If you think a rule
should be included, if you think an individual rule should not be
included etc.

I am also going to invite the people on the mailinglist to take look at
the rules as well and add their remarks in the wiki (or respond via mail).
This should allow us to nail down the list of rules which will
actually be included in the paranoia mode.

As for defining the exact working of the paranoia mode, I guess I
need to write down the idea I have in mind and see if it makes sense to
you.

Thank you for contributing so far! It is a lot of fun to work in a team!

Christian

</code>

OWASP ModSec CRS Paranoia Mode Sibling 981173

2016-03-01T19:47:18Z

Zino: additional Rule ID information added to table

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 981173 : SQL Injection Character Anomaly Usage ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1 (original Rule)'''
| '''RuleID 3.0.0-rc1 (paranoid Rule)'''
| '''Change'''
| '''Whitelisting'''
|-
| 981173
| none
| tbd
| Regex counter decreased from 4 to 1. Anomaly scoring increased to critical
| Regex for UUIDs in chained Rule
|}

#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.x Rule 981173.
# The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
# For dealing with false positives, UUID format is whitelisted with a chained rule.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level Z',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"

OWASP ModSec CRS Paranoia Mode Sibling 981173

2016-03-01T19:44:56Z

Zino: /* 981173 : SQL Injection Character Anomaly Usage */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 981173 : SQL Injection Character Anomaly Usage ==

{|- class="wikitable"
| '''RuleID 2.2.x'''
| '''RuleID 3.0.0-rc1'''
| '''Change'''
| '''Whitelisting'''
|-
| 981173
| none
| Regex counter decreased from 4 to 1. Anomaly scoring increased to critical
| Regex for UUIDs in chained Rule
|}

#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.x Rule 981173.
# The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
# For dealing with false positives, UUID format is whitelisted with a chained rule.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level Z',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"

OWASP ModSec CRS Paranoia Mode Sibling 958977

2016-02-24T12:25:41Z

Zino: /* 958977 : PHP Injection Attack: Configuration Directive Found */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 958977 : PHP Injection Attack: Configuration Directive Found ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 958977
| Rule now triggers on it's own
| none
|}

#
# [ PHP Function Names ]
#
# This is a paranoid sibling to 2.2.x Rule 958977.
# The rule is no longer chained in order to trigger anomaly scoring.
# For chain-based scoring see 3.0.0 Rule 933110.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names.data" \
"msg:'PHP Injection Attack: Function Name Found',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'1',\
accuracy:'8',\
t:none,t:normalisePath,t:urldecode,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-PHP',\
tag:'platform-multi',\
tag:'attack-PHP injection',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"

OWASP ModSec CRS Paranoia Mode Sibling 960901

2016-02-24T09:09:27Z

Zino: Created page with "''This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.'' == 960901 : Invalid character in request ==..."

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 960901 : Invalid character in request ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 960901
| Character byte range limited to 32-126.
| none
|}

#
# [ Invalid character in request ]
#
# This is a paranoid sibling to 2.2.x Rule 960901.
# Byte range restrictions are now set to 32-126.
# For unadapted 3.0.0 Rule see Rule ID 920270.
#
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateByteRange 32-126" \
"phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'9',\
block,\
msg:'Invalid character in request',\
id:'XXXXXX',\
severity:'ERROR',\
t:none,t:urlDecodeUni,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"

OWASP ModSec CRS Paranoia Mode Sibling 950001

2016-02-24T08:43:48Z

Zino: Created page with "''This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.'' == 950001 : SQL Injection Attack == {|- cla..."

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 950001 : SQL Injection Attack ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 950001
| Rule now triggers on it's own
| none
|}

#
# -=[ SQL Function Names ]=-
#
# This is a paranoid sibling to 2.2.x Rule 950001.
# The rule is no longer chained in order to trigger anomaly scoring.
# For chain-based scoring see 3.0.0 Rule 942150.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf sql-function-names.data" \
"msg:'SQL Injection Attack',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/2.2.6',\
maturity:'9',\
accuracy:'8',\
capture,\
t:none,t:urlDecodeUni,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-mutli',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL'
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

OWASP ModSec CRS Paranoia Mode Sibling 950907

2016-02-24T08:13:12Z

Zino: Created page with "''This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.'' == 950907 : OS Command Injection Attacks ==..."

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 950907 : OS Command Injection Attacks ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 950907
| Rule now triggers on it's own
| none
|}

#
# OS Command Injection Attacks
#
# This is a paranoid sibling to 2.2.x Rule 950907.
# The rule is no longer chained in order to trigger anomaly scoring.
# For chain-based scoring see 3.0.0 Rule 932100.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf os-commands.data" \
"msg:'Remote Command Execution (RCE) Attempt',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'8',\
t:none,t:normalisePath,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-remote code execution',\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
tag:'WASCTC/WASC-31',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"

OWASP ModSec CRS Paranoia Mode Sibling 958977

2016-02-23T08:41:07Z

Zino: Created page with "''This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.'' == 958977 : PHP Injection Attack: Configurat..."

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 958977 : PHP Injection Attack: Configuration Directive Found ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 958977
| Rule now triggers on it's own
| none
|}

#
# [ PHP Function Names ]
#
# This is a paranoid sibling to 2.2.x Rule 958977.
# The rule is no longer chained in order to trigger anomaly scoring.
# For chain-based scoring see 3.0.0 Rule 933110.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names.data" \
"msg:'PHP Injection Attack: Function Name Found',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'1',\
accuracy:'8',\
capture,\
t:none,t:normalisePath,t:urldecode,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-PHP',\
tag:'platform-multi',\
tag:'attack-PHP injection',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"

OWASP ModSec CRS Paranoia Mode Sibling 958980

2016-02-23T08:22:44Z

Zino:

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 958980 : PHP Injection Attack: Variables Found ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 958980
| Rule now triggers on it's own
| none
|}

#
# [ PHP Variables ]
#
# This is a paranoid sibling to 2.2.x Rule 958980.
# The rule is no longer chained in order to trigger anomaly scoring.
# For chain-based scoring see 3.0.0 Rule 933130.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-variables.data" \
"msg:'PHP Injection Attack: Variables Found',\
phase:request,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'1',\
accuracy:'8',\
t:none,t:normalisePath,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-PHP',\
tag:'platform-multi',\
tag:'attack-PHP injection',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"

OWASP ModSec CRS Paranoia Mode Sibling 958979

2016-02-23T08:22:16Z

Zino: /* 958979 : PHP Injection Attack: Configuration Directive Found */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 958979 : PHP Injection Attack: Configuration Directive Found ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 958979
| Rule now triggers on it's own
| none
|}

#
# [ PHP Configuration Directives ]
#
# This is a paranoid sibling to 2.2.x Rule 958979.
# The rule is no longer chained in order to trigger anomaly scoring.
# For chain-based scoring see 3.0.0 Rule 933120.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-config-directives.data" \
"msg:'PHP Injection Attack: Configuration Directive Found',\
phase:request,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'1',\
accuracy:'8',\
t:none,t:normalisePath,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-PHP',\
tag:'platform-multi',\
tag:'attack-PHP injection',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"

OWASP ModSec CRS Paranoia Mode Sibling 958979

2016-02-23T08:21:02Z

Zino: Created page with "''This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.'' == 958979 : PHP Injection Attack: Configurat..."

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 958979 : PHP Injection Attack: Configuration Directive Found ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 958979
| Rule now triggers on it's own
| none
|}

#
# [ PHP Configuration Directives ]
#
# This is a paranoid sibling to 2.2.x Rule 958979.
# The rule is no longer chained in order to trigger anomaly scoring.
# For chain-based scoring see 3.0.0 Rule 933120.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-config-directives.data" \
"msg:'PHP Injection Attack: Configuration Directive Found',\
phase:request,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'1',\
accuracy:'8',\
capture,\
t:none,t:normalisePath,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-PHP',\
tag:'platform-multi',\
tag:'attack-PHP injection',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"

OWASP ModSec CRS Paranoia Mode Sibling 958980

2016-02-22T11:13:48Z

Zino: Created page with "''This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.'' == 958980 : PHP Injection Attack: Variables..."

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 958980 : PHP Injection Attack: Variables Found ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 958980
| Does trigger on it's own now
| none
|}

#
# [ PHP Variables ]
#
# This is a paranoid sibling to 2.2.x Rule 958980.
# The rule is no longer chained in order to trigger anomaly scoring.
# For chain-based scoring see 3.0.0 Rule 933130.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-variables.data" \
"msg:'PHP Injection Attack: Variables Found',\
phase:request,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'1',\
accuracy:'8',\
capture,\
t:none,t:normalisePath,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-PHP',\
tag:'platform-multi',\
tag:'attack-PHP injection',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"

OWASP ModSec CRS Paranoia Mode Sibling 970003

2016-02-22T09:31:04Z

Zino: Created page with "''This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.'' == 970003 : SQL Error Leakage == {|- class=..."

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 970003 : SQL Error Leakage ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 970003
| Triggers anomaly score directly now
| none
|}

#
# -=[ SQL Error Leakage ]=-
#
# This is a paranoid sibling to 2.2.9 Rule 970003.
# The rule now triggers the anomaly scoring instantly
# instead of just setting tx.sql_error_match.
#
SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
"phase:response,\
id:XXXXXX,\
rev:'5',\
ver:'OWASP_CRS/3.0.0',\
pass,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-information disclosure',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
t:none"

OWASP ModSec CRS Paranoia Mode

2016-02-20T11:07:10Z

Zino: /* Stricter siblings for existing rules */ -> New Rules added

==Abstract==

This is a page about the development of a paranoia mode aka bringing back the rules that used to yield a high number of false positives. This little project is aimed at inclusion into the 3.0.0 release of the OWASP ModSecurity Core Rules, where some rules have been removed in order to reduce the number of false positives with vanilla installations.

FIXME: Detailed description

''Back to the [https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project OWASP ModSecurity Core Rules Set].''

==Sub-Project Infos==

* '''Status''': active (January 2016)
* '''Schedule''': Pull request in <strike>January</strike>February 2016
* '''Who''': Christian Folini (dune73), Noël Zindel (zino), Franziska Bühler (franziskabuehler), Manuel Leos (Spartan), Walter Hop (lifeforms)
* '''Documentation''': Here on the [https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode OWASP Wiki] / [https://www.netnea.com/cms/2016/02/04/owasp-modsecurity-core-rules-paranoia-mode-mechanics-proposal/ Mechanics Proposal]
* '''Discussion / Archive''': <tt>owasp-modsecurity-core-rule-set@lists.owasp.org</tt> / archive: http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/
* '''Github Link v3.0.0-rc1 (our base)''': https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc1
* '''Github Link paranoia-mode''': https://github.com/dune73/owasp-modsecurity-crs/tree/paranoia-mode
* '''Final Pull Request #1: Add paranoia mode mechanics''': FIXME
* '''Final Pull Request #2: Move first rules to paranoia mode''': FIXME
* '''Final Pull Request #3: Add 2.2.X rules to paranoia mode''': FIXME
* '''Final Pull Request #4: Add stricter siblings''': FIXME

==Tasks==

===Open Tasks===

Please define state as follows: ''new'', ''assigned'', ''waiting'', ''closed''. When a task it is closed, it is moved to the seperate closed tasks table below.

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Write new stricter siblings for existing rules
| Noël
| assigned
|-
| Define ID-space for strict siblings
| n.n.
| new
|-
| Sort out mechanics of the paranoia mode
| Christian
| assigned
|-
| Define exact syntax of paranoia mode setup
| Christian
| waiting
|-
| Sort out name: Is "Paranoia Mode" really the right term?
| Christian
| waiting
|-
| Write pull request
| n.n.
| new
|-
| Submit pull request
| n.n.
| new
|-
| Draw flowchart
| n.n.
| new
|-
| Write documentation
| n.n.
| new
|}

===Closed Tasks===

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Assemble list of rules, which triggered false positives in 2.2.X frequently
| Christian
| closed
|-
| Assemble list of 2.2.x rules, which have disappeared from 3.0.0-rc1
| Spartan
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be accompanied with stricter siblings in paranoia mode (same idea of the rule, but harder limit etc.)
| Christian
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be moved to the paranoia mode
| Franziska
| closed
|-
| Assemble list of disappeared / missing 2.2.X base_rules, which should be brought back
| group
| closed
|-
| Assemble list of 2.2.X optional and experimental rules, which should be brought back
| group
| closed (could be repeated more throughly)
|-
| Nail down final list of rules which should be moved / recreated into the paranoia mode
| group
| closed
|}

==Rules==

===Paranoia Mode Candidates===

The 3.0.0-rc1 has all rules renumbered. Existing numbering was fairly crazy and the new numbering follows the numbering scheme of the rules files (-> 9<2-digit-rulefile><3-digit-id>)
A mapping table exists [[https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/id_renumbering/IdNumbering.csv IdNumbering.csv]]
We need to make sure, we do not mess things up, so let's add both IDs to the table, the old one and the new one.

Please set status as follows : ''confirmed'',''candidate'', ''cloning-confirmed'',''cloning-candidate'', ''unsure'', ''dropped''.
* 'cloning-confirmed', 'cloning-candidates' are rules, that could be cloned into an even stricter variant with a stricter limit in a higher paranoia setting.
* If dropped, please provide reasoning in the remarks.

{|- class="wikitable"
|'''RuleID 2.2.x'''
|'''RuleID 3.0.0-rc1'''
|         '''msg'''       
|    '''Status'''   
|    '''Remarks'''   
|-
| 950001
| 942150
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: @pmf file with very short function names, could match frequently.
|-
| 950109
| 920230
| Multiple URL Encoding Detected
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 950120
| 931130
| Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
| confirmed
| Walter's 2.2.X candidate: many FP; Chrstian: hardly any FPs; discussion concluded, that rule should end up in paranoia mode, possibly with additional conditions to reduce FPs (scope outside of this paranoia mode project) [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001885.html Link to discussion]
|-
| 960335
| 920380
| Too many arguments in request
| confirmed
| Walter's 2.2.X candidate: some FP (phpMyAdmin, large forms), alternatively would recommend raising <code>tx.max_num_args</code> to 1000
|-
| 950901
| 942130
| SQL Injection Attack: SQL Tautology Detected.
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: legitimate sentences could match. Walter's 2.2.x experience: many FP in natural text however the rule seems to have merit
|-
| 950916
| 921170
| HTTP Header Injection Attack via payload (CR/LF detected)
| confirmed
| Franziska's candidate: change action from pass to block and move to paranoia mode.
|-
| 959070
| gone
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 959071
| gone
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 959072
| gone
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 959073
| gone
| SQL Injection Attack
| confirmed
| Christian's 2.2.X experience: very frequently false positives
|-
| 960015
| 920300
| Request Missing an Accept Header
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: many FP (PHP SoapClient) Discussion concluded it's moved to paranoia mode. [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001888.html Link to discussion] Spartan: Many mobile devices do not send this header, very high FP.
|-
| 960024
| gone
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| confirmed
| Christian's 2.2.X experience: very frequently false positives
|-
| 960035
| 920440
| URL file extension is restricted by policy
| confirmed
| Christian's 2.2.X experience: frequently false positives
|-
| 970901
| 950100
| The Application Returned a 500-Level Status Code
| confirmed
| Franziska's candidate: too strict, too generic, no data leakage happened so far. Walter: it's useful however to prevent attacker from distinguishing between a failed SQLi attempt (403 blocked by ModSec) or a query error due to vulnerable app (500 from application); Discussion resolved with move to paranoia mode. 403 will cloak a backend error, which is hard for an inexperienced admin and thus complicates things in standard installations [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001889.html Link to discussion]
|-
| 973300
| gone
| Possible XSS Attack Detected - HTML Tag Handler
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973332
| gone
| IE XSS Filters - Attack Detected.
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973333
| gone
| IE XSS Filters - Attack Detected.
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981172
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981173
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981231
| gone
| SQL Comment Sequence Detected.
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP but rule seems useful
|-
| 981240
| 942300
| Detects MySQL comments, conditions and ch(a)r injections
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981242
| 942330
| Detects classic SQL injection probings 1/2
| confirmed
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: one quote character already matches?? Walter: low FP, but seen in cookies injected by some US ISPs;
|-
| 981243
| 942370
| Detects classic SQL injection probings 2/2
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: medium FP
|-
| 981244
| 942180
| Detects basic SQL authentication bypass attempts 1/3
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP; discussion did not bring up additional arguments. Moving to paranoia mode [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001890.html Link to discussion]
|-
| 981245
| 942260
| Detects basic SQL authentication bypass attempts 2/3
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981246
| 942340
| Detects basic SQL authentication bypass attempts 3/3
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981248
| 942210
| Detects chained SQL injection attempts 1/2
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: low FP, discussion did not bring up any additional arguments. Moving to paranoia mode [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001890.html Link to discussion]
|-
| 981249
| 942310
| Detects chained SQL injection attempts 2/2
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: low FP but seen in very specific situations
|-
| 981257
| 942200
| Detects MySQL comment-/space-obfuscated injections and backtick termination
| confirmed
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981260
| gone
| SQL Hex Encoding Identified
| confirmed
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP in long random strings
|-
| 981318
| 942110
| SQL Injection Attack: Common Injection Testing Detected
| confirmed
| Franziska's candidate: one quote character at the beginning/end really not legitimate? Walter 2.2.X candidate: frequent FP
|-
| 981319
| 942120
| SQL Injection Attack: SQL Operator Detected
| confirmed
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: very short operators or strings already match. Walter: some FP (WooCommerce)
|-
| 981049
| 912100
| Potential Denial of Service (DoS) Attack from ... - # of Request Bursts: ...
| cloning-confirmed
| limit currently at 2; could be set to 1; now, the attacker has to exceed dos_counter_threshold twice. With full reset of counter after first hit. Source: 2.2.X->experimental rules
|-
| 960901
| 920270
| Invalid character in request
| cloning-confirmed
| @validateByteRange 1-255; there was a conditional rule with stricter byterange 32-126 in 2.2.X as well
|-
| 970003
| 951100
| none
| cloning-confirmed
| rule is only setting tx.sql_error_match. Could also trigger score directly
|-
| 950907
| 932100
| Remote Command Execution (RCE) Attempt
| cloning-confirmed
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| cloning-confirmed
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958980
| 933130
| PHP Injection Attack: Variables Found
| cloning-confirmed
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 950001
| 942150
| SQL Injection Attack
| cloning-confirmed
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 950907
| 932100
| System Command Injection
| dropped
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: false positives possible because of @pmf, file with short cmds. Discussion evolved about splitting the file, which everybody thinks is a good idea. But that would be outside the scope of the introduction of the paranoia mode. So the rule stays in the standard set of rules for the time being and will be split in the future [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001886.html Link to discussion]
|-
| 900050
| 910100
| Client IP is from a HIGH Risk Country Location.
| dropped
| Franziska's candidate: Do we want to exlude countries? But then easy to configure. Discussion pointed out this as an effective rule. We leave it in the standard rules, but provide an empty country list by default [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001951.html Link to discussion]. [https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/284 Separate pull request]
|-
| 960017
| 920350
| Host header is a numeric IP address
| dropped
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: low FP (almost all are mass scans); Discussion concluded that legitimate use of numeric IP addresses is rare. This is really mostly mass scanners. Rule will be kept in standard set of rules [http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-February/001888.html Link to discussion]
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| dropped
| Franziska's candidate: false positives possible because of @pmf, file with short function names. Maybe we should split the data file. The discussion revealed that splitting the data file in a clean way is very difficult. Walter Hop volunteered to rework the php rules completely. Chaim might join that effort.
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| dropped
| Franziska's candidate: false positives possible because of @pmf, file with short configuration directives. Splitting file? The discussion revealed that splitting the data file in a clean way is very difficult. Walter Hop volunteered to rework the php rules completely. Chaim might join that effort.
|}

===Rules from 2.2.X, missing in 3.0.0-rc1===

It looks as if only the base_rules made it into 3.0.0. In fact there are a few rule ids know from the optional and experimental rule folders in 2.2.X, but it is more likely, these are new 3.0.0 rules reusing old rule ids as the rules (regexes and msg) do not match at all.

When trying to generate the list below, be aware that the rule ids have been renumbered between 3.0.0-dev and 3.0.0-rc1. IdNumbering.csv in your friend.

====Base rules====

{|- class="wikitable"
|'''2.2.X rule id'''
|         '''msg'''       
|    '''remarks'''   
|-
| 950002
| System Command Access
|
|-
| 950006
| System Command Injection
|
|-
| 950007
| Blind SQL Injection Attack
|
|-
| 950008
| Injection of Undocumented ColdFusion Tags
|
|-
| 950010
| LDAP Injection Attack
|
|-
| 950011
| SSI injection Attack
|
|-
| 950018
| Universal PDF XSS URL Detected.
| Walter: medium FP (foo.pdf#javascript)
|-
| 950019
| Email Injection Attack
|
|-
| 950908
| SQL Injection Attack.
|
|-
| 950921
| Backdoor access
|
|-
| 950922
| Backdoor access
|
|-
| 958000
| Cross-site Scripting (XSS) Attack
|
|-
| 958001
| Cross-site Scripting (XSS) Attack
|
|-
| 958002
| Cross-site Scripting (XSS) Attack
|
|-
| 958003
| Cross-site Scripting (XSS) Attack
|
|-
| 958004
| Cross-site Scripting (XSS) Attack
|
|-
| 958005
| Cross-site Scripting (XSS) Attack
|
|-
| 958006
| Cross-site Scripting (XSS) Attack
|
|-
| 958007
| Cross-site Scripting (XSS) Attack
|
|-
| 958008
| Cross-site Scripting (XSS) Attack
|
|-
| 958009
| Cross-site Scripting (XSS) Attack
|
|-
| 958010
| Cross-site Scripting (XSS) Attack
|
|-
| 958011
| Cross-site Scripting (XSS) Attack
|
|-
| 958012
| Cross-site Scripting (XSS) Attack
|
|-
| 958013
| Cross-site Scripting (XSS) Attack
|
|-
| 958016
| Cross-site Scripting (XSS) Attack
|
|-
| 958017
| Cross-site Scripting (XSS) Attack
|
|-
| 958018
| Cross-site Scripting (XSS) Attack
|
|-
| 958019
| Cross-site Scripting (XSS) Attack
|
|-
| 958020
| Cross-site Scripting (XSS) Attack
|
|-
| 958022
| Cross-site Scripting (XSS) Attack
|
|-
| 958023
| Cross-site Scripting (XSS) Attack
|
|-
| 958024
| Cross-site Scripting (XSS) Attack
|
|-
| 958025
| Cross-site Scripting (XSS) Attack
|
|-
| 958026
| Cross-site Scripting (XSS) Attack
|
|-
| 958027
| Cross-site Scripting (XSS) Attack
|
|-
| 958028
| Cross-site Scripting (XSS) Attack
|
|-
| 958030
| Cross-site Scripting (XSS) Attack
|
|-
| 958031
| Cross-site Scripting (XSS) Attack
|
|-
| 958032
| Cross-site Scripting (XSS) Attack
|
|-
| 958033
| Cross-site Scripting (XSS) Attack
|
|-
| 958034
| Cross-site Scripting (XSS) Attack
|
|-
| 958036
| Cross-site Scripting (XSS) Attack
|
|-
| 958037
| Cross-site Scripting (XSS) Attack
|
|-
| 958038
| Cross-site Scripting (XSS) Attack
|
|-
| 958039
| Cross-site Scripting (XSS) Attack
|
|-
| 958040
| Cross-site Scripting (XSS) Attack
|
|-
| 958041
| Cross-site Scripting (XSS) Attack
|
|-
| 958045
| Cross-site Scripting (XSS) Attack
|
|-
| 958046
| Cross-site Scripting (XSS) Attack
|
|-
| 958047
| Cross-site Scripting (XSS) Attack
|
|-
| 958049
| Cross-site Scripting (XSS) Attack
|
|-
| 958051
| Cross-site Scripting (XSS) Attack
|
|-
| 958052
| Cross-site Scripting (XSS) Attack
|
|-
| 958054
| Cross-site Scripting (XSS) Attack
|
|-
| 958056
| Cross-site Scripting (XSS) Attack
|
|-
| 958057
| Cross-site Scripting (XSS) Attack
|
|-
| 958059
| Cross-site Scripting (XSS) Attack
|
|-
| 958291
| Range: field exists and begins with 0.
| Walter: high FP (Chrome PDF viewer) and not useful.
|-
| 958404
| Cross-site Scripting (XSS) Attack
|
|-
| 958405
| Cross-site Scripting (XSS) Attack
|
|-
| 958406
| Cross-site Scripting (XSS) Attack
|
|-
| 958407
| Cross-site Scripting (XSS) Attack
|
|-
| 958408
| Cross-site Scripting (XSS) Attack
|
|-
| 958409
| Cross-site Scripting (XSS) Attack
|
|-
| 958410
| Cross-site Scripting (XSS) Attack
|
|-
| 958411
| Cross-site Scripting (XSS) Attack
|
|-
| 958412
| Cross-site Scripting (XSS) Attack
|
|-
| 958413
| Cross-site Scripting (XSS) Attack
|
|-
| 958414
| Cross-site Scripting (XSS) Attack
|
|-
| 958415
| Cross-site Scripting (XSS) Attack
|
|-
| 958416
| Cross-site Scripting (XSS) Attack
|
|-
| 958417
| Cross-site Scripting (XSS) Attack
|
|-
| 958418
| Cross-site Scripting (XSS) Attack
|
|-
| 958419
| Cross-site Scripting (XSS) Attack
|
|-
| 958420
| Cross-site Scripting (XSS) Attack
|
|-
| 958421
| Cross-site Scripting (XSS) Attack
|
|-
| 958422
| Cross-site Scripting (XSS) Attack
|
|-
| 958423
| Cross-site Scripting (XSS) Attack
|
|-
| 958976
| PHP Injection Attack
|
|-
| 959070
| SQL Injection Attack
|
|-
| 959071
| SQL Injection Attack
|
|-
| 959072
| SQL Injection Attack
|
|-
| 959073
| SQL Injection Attack
|
|-
| 960014
| Proxy access attempt
|
|-
| 960018
| Invalid character in request
|
|-
| 960020
| Pragma Header requires Cache-Control Header for HTTP/1.1 requests.
| Walter: some FP
|-
| 960022
| UNKNOWN
|
|-
| 960024
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| Walter: many FP
|-
| 960902
| UNKNOWN
|
|-
| 960913
| Invalid request
|
|-
| 970007
| Zope Information Leakage
|
|-
| 970008
| Cold Fusion Information Leakage
|
|-
| 970010
| ISA server existence revealed
|
|-
| 970011
| File or Directory Names Leakage
|
|-
| 970012
| Microsoft Office document properties leakage
|
|-
| 970016
| Cold Fusion source code leakage
| Walter: some FP but not using this language
|-
| 970018
| IIS installed in default location
|
|-
| 970021
| WebLogic information disclosure
|
|-
| 970903
| ASP/JSP source code leakage
| Walter: some FP but not using this language
|-
| 973300
| Possible XSS Attack Detected - HTML Tag Handler
|
|-
| 973301
| XSS Attack Detected
|
|-
| 973302
| XSS Attack Detected
|
|-
| 973303
| XSS Attack Detected
|
|-
| 973304
| XSS Attack Detected
|
|-
| 973305
| XSS Attack Detected
|
|-
| 973306
| XSS Attack Detected
|
|-
| 973307
| XSS Attack Detected
|
|-
| 973308
| XSS Attack Detected
|
|-
| 973309
| XSS Attack Detected
|
|-
| 973310
| XSS Attack Detected
|
|-
| 973311
| XSS Attack Detected
|
|-
| 973312
| XSS Attack Detected
|
|-
| 973313
| XSS Attack Detected
|
|-
| 973314
| XSS Attack Detected
|
|-
| 973316
| IE XSS Filters - Attack Detected.
|
|-
| 973325
| IE XSS Filters - Attack Detected.
|
|-
| 973327
| IE XSS Filters - Attack Detected.
|
|-
| 973328
| IE XSS Filters - Attack Detected.
|
|-
| 973329
| IE XSS Filters - Attack Detected.
|
|-
| 973330
| IE XSS Filters - Attack Detected.
|
|-
| 973331
| IE XSS Filters - Attack Detected.
|
|-
| 973332
| IE XSS Filters - Attack Detected.
|
|-
| 973333
| IE XSS Filters - Attack Detected.
|
|-
| 973334
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973335
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973347
| IE XSS Filters - Attack Detected.
|
|-
| 981000
| Possibly malicious iframe tag in output
| Walter: medium FP
|-
| 981001
| Possibly malicious iframe tag in output
| Walter: medium FP (iframes with display:none)
|-
| 981003
| Malicious iframe+javascript tag in output
|
|-
| 981004
| Potential Obfuscated Javascript in Output - Excessive fromCharCode
| Walter: many FP (Wordpress 4.4 inlined emoji javascripts)
|-
| 981005
| Potential Obfuscated Javascript in Output - Eval+Unescape
|
|-
| 981006
| Potential Obfuscated Javascript in Output - Unescape
|
|-
| 981007
| Potential Obfuscated Javascript in Output - Heap Spray
|
|-
| 981018
| UNKNOWN
|
|-
| 981022
| UNKNOWN
|
|-
| 981133
| UNKNOWN
|
|-
| 981134
| UNKNOWN
|
|-
| 981136
| UNKNOWN
|
|-
| 981172
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981173
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981177
| UNKNOWN
|
|-
| 981178
| UNKNOWN
|
|-
| 981231
| SQL Comment Sequence Detected.
|
|-
| 981260
| SQL Hex Encoding Identified
|
|-
| 981300
| UNKNOWN
|
|-
| 981301
| UNKNOWN
|
|-
| 981302
| UNKNOWN
|
|-
| 981303
| UNKNOWN
|
|-
| 981304
| UNKNOWN
|
|-
| 981305
| UNKNOWN
|
|-
| 981306
| UNKNOWN
|
|-
| 981307
| UNKNOWN
|
|-
| 981308
| UNKNOWN
|
|-
| 981309
| UNKNOWN
|
|-
| 981310
| UNKNOWN
|
|-
| 981311
| UNKNOWN
|
|-
| 981312
| UNKNOWN
|
|-
| 981313
| UNKNOWN
|
|-
| 981314
| UNKNOWN
|
|-
| 981315
| UNKNOWN
|
|-
| 981316
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 981317
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 990012
| Rogue web site crawler
|
|}

====Optional, experimental, slr rules====

{|- class="wikitable"
| 900048
| Identifies Reflected XSS (optional_rules)
| Walter: could be very interesting candidate but have not used it in production
|-
| 920021, 920022, 920023
| Possible Credit Card Track 1 Data Leakage. (experimental_rules)
| Walter: could be interesting candidates but have not used it in production
|-
| 981080, 920020, 920006
| Detect CC# in output and block transaction (optional_rules)
| Walter: could be interesting candidate but have not used it in production
|-
| 900047, 900048, 981180, 981182
| Identifies Stored XSS (optional_rules)
| Walter: could be somewhat interesting candidate but have not used it in production
|}

=== Stricter siblings for existing rules ===

Stricter Siblings are rules that are present in the CRS but could be accompanied by a stricter clone in Paranoia Mode. Adjustments can differ from rule to rule but include higher anomaly ratings or stricter triggers (e.g. regex counters). To prevent masses of false positives, rules can come with additional filters (chained rules) for common use-cases. These can either be included into Paranoia Mode or simply serve as a recommendation.

Note: To avoid a cluttered project main-page, rule proposals are documented in their respective sub-page. When adding new proposals, make sure adding the rules original (2.2.x) ID, a quick description of what changes were made, and, if applicable, which additional filters were added.

'''Possible siblings:'''

[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981173|981173 : SQL Injection Character Anomaly Usage]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981172|981172 : SQL Injection Character Anomaly Usage]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981049|981049 : Potential Denial of Service (DoS)]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_970003|970003 : SQL Error Leakage]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_960901|960901 : Invalid character in request]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_958980|958980 : PHP Injection Attack: Variables Found]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_958979|958979 : PHP Injection Attack: Configuration Directive Found]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_958977|958977 : PHP Injection Attack: Function Name Found]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_950907|950907 : Remote Command Execution (RCE) Attempt]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_950001|950001 : SQL Injection Attack]]

==Project Status==

===Project Status January 30, 2016===

<code>
Hello everybody,

It's time to do a status report of our little core rules project.

I am including Franziska Bühler and Walter Hop in this status mail.
Both are experienced ModSec sysadmins. Franziska contributed to this
first stage, Walter told me he does not have much time, but he
was interested in participating at least in the discussions about
the rules.

All in all, this is taking more time than anticipated. But we
have also done things very throughly than I thought. Which is
generally a good thing.

Done so far:
* Manuel has provided us with a list of rules removed between 2.2.x and 3.0.0rc1
* I have assembled a list of rules known to trigger false positives frequently in the 2.2.x ruleset, they are thus candidates for the paranoia mode
* Franziska has looked through the 3.0.0rc1 rules and identified a set of rules which look like good candidates.
* Noël has sharpened his skills by re-writing 981173 in a way that ignores innocent UUIDs. In my eyes, he found a very elegant solution.
* With the development of 3.0.0-dev, Chaim unfortunately reused rule ids formerly used with optional and experimental rules. Now this has all been renumbered. I have pointed this out in the mailinglist and had private contact with Chaim where he confirmed the fact - and promised to resolve the issue.

We have not really looked at the disappeared rules and identified those
who should be brought back and have not been picked so far. This
includes the 2.2.X base_rules, but also the optional, experimental,
and huge stock of slr rules. Of these three groups, only the
anti-ddos rules have made it into 3.0.0. There are probably more
interesting candidates.

If somebody among you wants to look into these, then that would be
welcome, but I do not want to have these tasks delay us any further.
After all, Old rules can also be brought back in subsequent releases
if we see a benefit.

So the next real tasks are:
* Looking through the list of candidates and cloning-candidates (the latter are those rules we might accompany with a clone with stricter limits in paranoia mode).
* Defining the exact working of the paranoia mode.

Please sit down and look through the rule lists in the wiki and add
remarks with regards to the candidate rules. If you think a rule
should be included, if you think an individual rule should not be
included etc.

I am also going to invite the people on the mailinglist to take look at
the rules as well and add their remarks in the wiki (or respond via mail).
This should allow us to nail down the list of rules which will
actually be included in the paranoia mode.

As for defining the exact working of the paranoia mode, I guess I
need to write down the idea I have in mind and see if it makes sense to
you.

Thank you for contributing so far! It is a lot of fun to work in a team!

Christian

</code>

OWASP ModSec CRS Paranoia Mode Sibling 981049

2016-02-10T11:04:51Z

Zino: /* 981049 : Potential Denial of Service (DoS) */

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 981049 : Potential Denial of Service (DoS) ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 981049
| Operator match decreased form 2 to 1. ''Optional: change tx.dos_burst_time_slice, tx.dos_counter_threshold and/or tx.dos_block_timeout''
| None
|}

#
# -=[ Potential Denial of Service (DoS) ]=-
#
# This is a paranoid sibling to 2.2.9 Experimental Rule 981049.
# The rule now triggers after the first burst instead of the second.
#
SecRule IP:DOS_BURST_COUNTER "@ge 1"
"phase:logging,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,\
log,\
msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts:%{ip.dos_burst_counter}',\
id:'XXXXXX',\
tag:'FIXME Filler for attacktype',\
tag:'Paranoia rule on level Z',\
setvar:ip.dos_block=1,\
expirevar:ip.dos_block=%{tx.dos_block_timeout},\
pass"

=== Notes ===

This rule can not be implemented as is. Rules 981044 - 981048 from ''owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf'' need to be integrated to allow proper blocking. There should be no need to adjust these rules for desired effects.

Also note that more Paranoia tuning can be done by adjusting the DoS Protection variable values in your main configuration (e.g. modsecurity_crs_10_setup.conf).

#
# -- <nowiki>[[ DoS Protection ]]</nowiki> ----------------------------------------------------------------
#
# This is a Paranoia Mode Clone.
# Adjust the following variables to fine tune paranoia level.
#
# - Burst Time Slice Interval: time interval window to monitor for bursts
# - Request Threshold: request # threshold to trigger a burst
# - Block Period: temporary block timeout
#
SecAction \
"id:XXXXXX',\
phase:request,\
t:none,\
setvar:'tx.dos_burst_time_slice=90',\
setvar:'tx.dos_counter_threshold=50',\
setvar:'tx.dos_block_timeout=600',\
nolog,\
pass"

OWASP ModSec CRS Paranoia Mode Sibling 981049

2016-02-10T11:02:55Z

Zino: Created page with "''This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.'' == 981049 : Potential Denial of Service (DoS..."

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 981049 : Potential Denial of Service (DoS) ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 981049
| Operator match decreased form 2 to 1. ''optional: change tx.dos_burst_time_slice, tx.dos_counter_threshold and/or tx.dos_block_timeout''
| None
|}

#
# -=[ Potential Denial of Service (DoS) ]=-
#
# This is a paranoid sibling to 2.2.9 Experimental Rule 981049.
# The rule now triggers after the first burst instead of the second.
#
SecRule IP:DOS_BURST_COUNTER "@ge 1"
"phase:logging,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,\
log,\
msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts:%{ip.dos_burst_counter}',\
id:'XXXXXX',\
tag:'FIXME Filler for attacktype',\
tag:'Paranoia rule on level Z',\
setvar:ip.dos_block=1,\
expirevar:ip.dos_block=%{tx.dos_block_timeout},\
pass"

=== Notes ===

This rule can not be implemented as is. Rules 981044 - 981048 from ''owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf'' need to be integrated to allow proper blocking. There should be no need to adjust these rules for desired effects.

Also note that more Paranoia tuning can be done by adjusting the DoS Protection variable values in your main configuration (e.g. modsecurity_crs_10_setup.conf).

#
# -- <nowiki>[[ DoS Protection ]]</nowiki> ----------------------------------------------------------------
#
# This is a Paranoia Mode Clone.
# Adjust the following variables to fine tune paranoia level.
#
# - Burst Time Slice Interval: time interval window to monitor for bursts
# - Request Threshold: request # threshold to trigger a burst
# - Block Period: temporary block timeout
#
SecAction \
"id:XXXXXX',\
phase:request,\
t:none,\
setvar:'tx.dos_burst_time_slice=90',\
setvar:'tx.dos_counter_threshold=50',\
setvar:'tx.dos_block_timeout=600',\
nolog,\
pass"

OWASP ModSec CRS Paranoia Mode Sibling 981173

2016-02-10T08:44:02Z

Zino:

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 981173 : SQL Injection Character Anomaly Usage ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 981173
| Regex counter decreased from 4 to 1. Anomaly scoring increased to critical.
| Regex for UUIDs in chained Rule.
|}

#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.9 Rule 981173.
# The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
# For dealing with false positives, UUID format is whitelisted with a chained rule.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level Z',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"

OWASP ModSec CRS Paranoia Mode Sibling 981172

2016-02-10T08:41:04Z

Zino: Created page with "''This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.'' == 981172 : SQL Injection Character Anomaly..."

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''

== 981172 : SQL Injection Character Anomaly Usage ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 981172
| Regex counter decreased from 8 to 2. Anomaly scoring increased to critical.
| None
|}

#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.9 Rule 981172.
# The regex limit is set to '2' and the anomaly scoring is increased to 'critical'.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES "([\~\!\@\#\$\%\^\&\*\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){2,}"
"capture,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level Z',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1,\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"

OWASP ModSec CRS Paranoia Mode

2016-02-10T08:18:59Z

Zino: /* Stricter siblings for existing rules */

==Abstract==

This is a page about the development of a paranoia mode aka bringing back the rules that used to yield a high number of false positives. This little project is aimed at inclusion into the 3.0.0 release of the OWASP ModSecurity Core Rules, where some rules have been removed in order to reduce the number of false positives with vanilla installations.

FIXME: Detailed description

''Back to the [https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project OWASP ModSecurity Core Rules Set].''

==Sub-Project Infos==

* '''Status''': active (January 2016)
* '''Schedule''': Pull request in <strike>January</strike>February 2016
* '''Who''': Christian Folini (dune73), Noël Zindel (zino), Franziska Bühler (franziskabuehler), Manuel Leos (Spartan), Walter Hop (lifeforms)
* '''Documentation''': Here on the [https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode OWASP Wiki] / [https://www.netnea.com/cms/2016/02/04/owasp-modsecurity-core-rules-paranoia-mode-mechanics-proposal/ Mechanics Proposal]
* '''Discussion / Archive''': <tt>owasp-modsecurity-core-rule-set@lists.owasp.org</tt> / archive: http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/
* '''Github Link''': https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc1
* '''Final Pull Request''': FIXME

==Tasks==

===Open Tasks===

Please define state as follows: ''new'', ''assigned'', ''waiting'', ''closed''. When a task it is closed, it is moved to the seperate closed tasks table below.

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Nail down final list of rules which should be moved / recreated into the paranoia mode
| group
| assigned
|-
| Write new stricter siblings for existing rules
| Noël
| assigned
|-
| Define ID-space for strict siblings
| n.n.
| new
|-
| Sort out mechanics of the paranoia mode
| Christian
| assigned
|-
| Define exact syntax of paranoia mode setup
| Christian
| waiting
|-
| Sort out name: Is "Paranoia Mode" really the right term?
| Christian
| waiting
|-
| Write pull request
| n.n.
| new
|-
| Submit pull request
| n.n.
| new
|-
| Draw flowchart
| n.n.
| new
|-
| Write documentation
| n.n.
| new
|}

===Closed Tasks===

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Assemble list of rules, which triggered false positives in 2.2.X frequently
| Christian
| closed
|-
| Assemble list of 2.2.x rules, which have disappeared from 3.0.0-rc1
| Spartan
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be accompanied with stricter siblings in paranoia mode (same idea of the rule, but harder limit etc.)
| Christian
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be moved to the paranoia mode
| Franziska
| closed
|-
| Assemble list of disappeared / missing 2.2.X base_rules, which should be brought back
| group
| closed
|-
| Assemble list of 2.2.X optional and experimental rules, which should be brought back
| group
| closed (could be repeated more throughly)
|}

==Rules==

===Paranoia Mode Candidates===

The 3.0.0-rc1 has all rules renumbered. Existing numbering was fairly crazy and the new numbering follows the numbering scheme of the rules files (-> 9<2-digit-rulefile><3-digit-id>)
A mapping table exists [[https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/id_renumbering/IdNumbering.csv IdNumbering.csv]]
We need to make sure, we do not mess things up, so let's add both IDs to the table, the old one and the new one.

Please set status as follows : ''candidate'', ''cloning-candidate'', ''unsure'', ''dropped''.
* 'cloning-candidates' are rules, that could be cloned into an even stricter variant with a stricter limit in a higher paranoia setting.
* If dropped, please provide reasoning in the remarks.

{|- class="wikitable"
|'''RuleID 2.2.x'''
|'''RuleID 3.0.0-rc1'''
|         '''msg'''       
|    '''Status'''   
|    '''Remarks'''   
|-
| 900050
| 910100
| Client IP is from a HIGH Risk Country Location.
| unsure
| Franziska's candidate: Do we want to exlude countries? But then easy to configure.
|-
| 950001
| 942150
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: @pmf file with very short function names, could match frequently.
|-
| 950109
| 920230
| Multiple URL Encoding Detected
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 950120
| 931130
| Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
| candidate
| Walter's 2.2.X candidate: many FP; Chrstian: hardly any FPs, #discuss
|-
| 960335
| 920380
| Too many arguments in request
| candidate
| Walter's 2.2.X candidate: some FP (phpMyAdmin, large forms), alternatively would recommend raising <code>tx.max_num_args</code> to 1000
|-
| 950901
| 942130
| SQL Injection Attack: SQL Tautology Detected.
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: legitimate sentences could match. Walter's 2.2.x experience: many FP in natural text however the rule seems to have merit
|-
| 950907
| 932100
| System Command Injection
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: false positives possible because of @pmf, file with short cmds. Maybe we should split the data file #discuss
|-
| 950916
| 921170
| HTTP Header Injection Attack via payload (CR/LF detected)
| candidate
| Franziska's candidate: change action from pass to block and move to paranoia mode.
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| candidate
| Franziska's candidate: false positives possible because of @pmf, file with short function names. Maybe we should split the data file #discuss
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| candidate
| Franziska's candidate: false positives possible because of @pmf, file with short configuration directives.
|-
| 959070
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959071
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959072
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959073
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: very frequently false positives
|-
| 960015
| 920300
| Request Missing an Accept Header
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: many FP (PHP SoapClient)
|-
| 960017
| 920350
| Host header is a numeric IP address
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: low FP (almost all are mass scans) #discuss
|-
| 960024
| gone
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| candidate
| Christian's 2.2.X experience: very frequently false positives
|-
| 960035
| 920440
| URL file extension is restricted by policy
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 970901
| 950100
| The Application Returned a 500-Level Status Code
| candidate
| Franziska's candidate: too strict, too generic, no data leakage happened so far. Walter: it's useful however to prevent attacker from distinguishing between a failed SQLi attempt (403 blocked by ModSec) or a query error due to vulnerable app (500 from application) #discuss
|-
| 973300
| gone
| Possible XSS Attack Detected - HTML Tag Handler
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973332
| gone
| IE XSS Filters - Attack Detected.
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973333
| gone
| IE XSS Filters - Attack Detected.
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981172
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981173
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981231
| gone
| SQL Comment Sequence Detected.
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP but rule seems useful
|-
| 981240
| 942300
| Detects MySQL comments, conditions and ch(a)r injections
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981242
| 942330
| Detects classic SQL injection probings 1/2
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: one quote character already matches?? Walter: low FP, but seen in cookies injected by some US ISPs;
|-
| 981243
| 942370
| Detects classic SQL injection probings 2/2
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: medium FP
|-
| 981244
| 942180
| Detects basic SQL authentication bypass attempts 1/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP, #discuss
|-
| 981245
| 942260
| Detects basic SQL authentication bypass attempts 2/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981246
| 942340
| Detects basic SQL authentication bypass attempts 3/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981248
| 942210
| Detects chained SQL injection attempts 1/2
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: low FP, #discuss
|-
| 981249
| 942310
| Detects chained SQL injection attempts 2/2
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP but seen in very specific situations
|-
| 981257
| 942200
| Detects MySQL comment-/space-obfuscated injections and backtick termination
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981260
| gone
| SQL Hex Encoding Identified
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP in long random strings
|-
| 981318
| 942110
| SQL Injection Attack: Common Injection Testing Detected
| candidate
| Franziska's candidate: one quote character at the beginning/end really not legitimate? Walter 2.2.X candidate: frequent FP
|-
| 981319
| 942120
| SQL Injection Attack: SQL Operator Detected
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: very short operators or strings already match. Walter: some FP (WooCommerce)
|-
| 981049
| 912100
| Potential Denial of Service (DoS) Attack from ... - # of Request Bursts: ...
| cloning-candidate
| limit currently at 2; could be set to 1; now, the attacker has to exceed dos_counter_threshold twice. With full reset of counter after first hit. Source: 2.2.X->experimental rules
|-
| 960901
| 920270
| Invalid character in request
| cloning-candidate
| @validateByteRange 1-255; there was a conditional rule with stricter byterange 32-126 in 2.2.X as well
|-
| 970003
| 951100
| none
| cloning-candidate
| rule is only setting tx.sql_error_match. Could also trigger score directly
|-
| 950907
| 932100
| Remote Command Execution (RCE) Attempt
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958980
| 933130
| PHP Injection Attack: Variables Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 950001
| 942150
| SQL Injection Attack
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|}

===Rules from 2.2.X, missing in 3.0.0-rc1===

It looks as if only the base_rules made it into 3.0.0. In fact there are a few rule ids know from the optional and experimental rule folders in 2.2.X, but it is more likely, these are new 3.0.0 rules reusing old rule ids as the rules (regexes and msg) do not match at all.

When trying to generate the list below, be aware that the rule ids have been renumbered between 3.0.0-dev and 3.0.0-rc1. IdNumbering.csv in your friend.

====Base rules====

{|- class="wikitable"
|'''2.2.X rule id'''
|         '''msg'''       
|    '''remarks'''   
|-
| 950002
| System Command Access
|
|-
| 950006
| System Command Injection
|
|-
| 950007
| Blind SQL Injection Attack
|
|-
| 950008
| Injection of Undocumented ColdFusion Tags
|
|-
| 950010
| LDAP Injection Attack
|
|-
| 950011
| SSI injection Attack
|
|-
| 950018
| Universal PDF XSS URL Detected.
| Walter: medium FP (foo.pdf#javascript)
|-
| 950019
| Email Injection Attack
|
|-
| 950908
| SQL Injection Attack.
|
|-
| 950921
| Backdoor access
|
|-
| 950922
| Backdoor access
|
|-
| 958000
| Cross-site Scripting (XSS) Attack
|
|-
| 958001
| Cross-site Scripting (XSS) Attack
|
|-
| 958002
| Cross-site Scripting (XSS) Attack
|
|-
| 958003
| Cross-site Scripting (XSS) Attack
|
|-
| 958004
| Cross-site Scripting (XSS) Attack
|
|-
| 958005
| Cross-site Scripting (XSS) Attack
|
|-
| 958006
| Cross-site Scripting (XSS) Attack
|
|-
| 958007
| Cross-site Scripting (XSS) Attack
|
|-
| 958008
| Cross-site Scripting (XSS) Attack
|
|-
| 958009
| Cross-site Scripting (XSS) Attack
|
|-
| 958010
| Cross-site Scripting (XSS) Attack
|
|-
| 958011
| Cross-site Scripting (XSS) Attack
|
|-
| 958012
| Cross-site Scripting (XSS) Attack
|
|-
| 958013
| Cross-site Scripting (XSS) Attack
|
|-
| 958016
| Cross-site Scripting (XSS) Attack
|
|-
| 958017
| Cross-site Scripting (XSS) Attack
|
|-
| 958018
| Cross-site Scripting (XSS) Attack
|
|-
| 958019
| Cross-site Scripting (XSS) Attack
|
|-
| 958020
| Cross-site Scripting (XSS) Attack
|
|-
| 958022
| Cross-site Scripting (XSS) Attack
|
|-
| 958023
| Cross-site Scripting (XSS) Attack
|
|-
| 958024
| Cross-site Scripting (XSS) Attack
|
|-
| 958025
| Cross-site Scripting (XSS) Attack
|
|-
| 958026
| Cross-site Scripting (XSS) Attack
|
|-
| 958027
| Cross-site Scripting (XSS) Attack
|
|-
| 958028
| Cross-site Scripting (XSS) Attack
|
|-
| 958030
| Cross-site Scripting (XSS) Attack
|
|-
| 958031
| Cross-site Scripting (XSS) Attack
|
|-
| 958032
| Cross-site Scripting (XSS) Attack
|
|-
| 958033
| Cross-site Scripting (XSS) Attack
|
|-
| 958034
| Cross-site Scripting (XSS) Attack
|
|-
| 958036
| Cross-site Scripting (XSS) Attack
|
|-
| 958037
| Cross-site Scripting (XSS) Attack
|
|-
| 958038
| Cross-site Scripting (XSS) Attack
|
|-
| 958039
| Cross-site Scripting (XSS) Attack
|
|-
| 958040
| Cross-site Scripting (XSS) Attack
|
|-
| 958041
| Cross-site Scripting (XSS) Attack
|
|-
| 958045
| Cross-site Scripting (XSS) Attack
|
|-
| 958046
| Cross-site Scripting (XSS) Attack
|
|-
| 958047
| Cross-site Scripting (XSS) Attack
|
|-
| 958049
| Cross-site Scripting (XSS) Attack
|
|-
| 958051
| Cross-site Scripting (XSS) Attack
|
|-
| 958052
| Cross-site Scripting (XSS) Attack
|
|-
| 958054
| Cross-site Scripting (XSS) Attack
|
|-
| 958056
| Cross-site Scripting (XSS) Attack
|
|-
| 958057
| Cross-site Scripting (XSS) Attack
|
|-
| 958059
| Cross-site Scripting (XSS) Attack
|
|-
| 958291
| Range: field exists and begins with 0.
| Walter: high FP (Chrome PDF viewer) and not useful.
|-
| 958404
| Cross-site Scripting (XSS) Attack
|
|-
| 958405
| Cross-site Scripting (XSS) Attack
|
|-
| 958406
| Cross-site Scripting (XSS) Attack
|
|-
| 958407
| Cross-site Scripting (XSS) Attack
|
|-
| 958408
| Cross-site Scripting (XSS) Attack
|
|-
| 958409
| Cross-site Scripting (XSS) Attack
|
|-
| 958410
| Cross-site Scripting (XSS) Attack
|
|-
| 958411
| Cross-site Scripting (XSS) Attack
|
|-
| 958412
| Cross-site Scripting (XSS) Attack
|
|-
| 958413
| Cross-site Scripting (XSS) Attack
|
|-
| 958414
| Cross-site Scripting (XSS) Attack
|
|-
| 958415
| Cross-site Scripting (XSS) Attack
|
|-
| 958416
| Cross-site Scripting (XSS) Attack
|
|-
| 958417
| Cross-site Scripting (XSS) Attack
|
|-
| 958418
| Cross-site Scripting (XSS) Attack
|
|-
| 958419
| Cross-site Scripting (XSS) Attack
|
|-
| 958420
| Cross-site Scripting (XSS) Attack
|
|-
| 958421
| Cross-site Scripting (XSS) Attack
|
|-
| 958422
| Cross-site Scripting (XSS) Attack
|
|-
| 958423
| Cross-site Scripting (XSS) Attack
|
|-
| 958976
| PHP Injection Attack
|
|-
| 959070
| SQL Injection Attack
|
|-
| 959071
| SQL Injection Attack
|
|-
| 959072
| SQL Injection Attack
|
|-
| 959073
| SQL Injection Attack
|
|-
| 960014
| Proxy access attempt
|
|-
| 960018
| Invalid character in request
|
|-
| 960020
| Pragma Header requires Cache-Control Header for HTTP/1.1 requests.
| Walter: some FP
|-
| 960022
| UNKNOWN
|
|-
| 960024
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| Walter: many FP
|-
| 960902
| UNKNOWN
|
|-
| 960913
| Invalid request
|
|-
| 970007
| Zope Information Leakage
|
|-
| 970008
| Cold Fusion Information Leakage
|
|-
| 970010
| ISA server existence revealed
|
|-
| 970011
| File or Directory Names Leakage
|
|-
| 970012
| Microsoft Office document properties leakage
|
|-
| 970016
| Cold Fusion source code leakage
| Walter: some FP but not using this language
|-
| 970018
| IIS installed in default location
|
|-
| 970021
| WebLogic information disclosure
|
|-
| 970903
| ASP/JSP source code leakage
| Walter: some FP but not using this language
|-
| 973300
| Possible XSS Attack Detected - HTML Tag Handler
|
|-
| 973301
| XSS Attack Detected
|
|-
| 973302
| XSS Attack Detected
|
|-
| 973303
| XSS Attack Detected
|
|-
| 973304
| XSS Attack Detected
|
|-
| 973305
| XSS Attack Detected
|
|-
| 973306
| XSS Attack Detected
|
|-
| 973307
| XSS Attack Detected
|
|-
| 973308
| XSS Attack Detected
|
|-
| 973309
| XSS Attack Detected
|
|-
| 973310
| XSS Attack Detected
|
|-
| 973311
| XSS Attack Detected
|
|-
| 973312
| XSS Attack Detected
|
|-
| 973313
| XSS Attack Detected
|
|-
| 973314
| XSS Attack Detected
|
|-
| 973316
| IE XSS Filters - Attack Detected.
|
|-
| 973325
| IE XSS Filters - Attack Detected.
|
|-
| 973327
| IE XSS Filters - Attack Detected.
|
|-
| 973328
| IE XSS Filters - Attack Detected.
|
|-
| 973329
| IE XSS Filters - Attack Detected.
|
|-
| 973330
| IE XSS Filters - Attack Detected.
|
|-
| 973331
| IE XSS Filters - Attack Detected.
|
|-
| 973332
| IE XSS Filters - Attack Detected.
|
|-
| 973333
| IE XSS Filters - Attack Detected.
|
|-
| 973334
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973335
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973347
| IE XSS Filters - Attack Detected.
|
|-
| 981000
| Possibly malicious iframe tag in output
| Walter: medium FP
|-
| 981001
| Possibly malicious iframe tag in output
| Walter: medium FP (iframes with display:none)
|-
| 981003
| Malicious iframe+javascript tag in output
|
|-
| 981004
| Potential Obfuscated Javascript in Output - Excessive fromCharCode
| Walter: many FP (Wordpress 4.4 inlined emoji javascripts)
|-
| 981005
| Potential Obfuscated Javascript in Output - Eval+Unescape
|
|-
| 981006
| Potential Obfuscated Javascript in Output - Unescape
|
|-
| 981007
| Potential Obfuscated Javascript in Output - Heap Spray
|
|-
| 981018
| UNKNOWN
|
|-
| 981022
| UNKNOWN
|
|-
| 981133
| UNKNOWN
|
|-
| 981134
| UNKNOWN
|
|-
| 981136
| UNKNOWN
|
|-
| 981172
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981173
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981177
| UNKNOWN
|
|-
| 981178
| UNKNOWN
|
|-
| 981231
| SQL Comment Sequence Detected.
|
|-
| 981260
| SQL Hex Encoding Identified
|
|-
| 981300
| UNKNOWN
|
|-
| 981301
| UNKNOWN
|
|-
| 981302
| UNKNOWN
|
|-
| 981303
| UNKNOWN
|
|-
| 981304
| UNKNOWN
|
|-
| 981305
| UNKNOWN
|
|-
| 981306
| UNKNOWN
|
|-
| 981307
| UNKNOWN
|
|-
| 981308
| UNKNOWN
|
|-
| 981309
| UNKNOWN
|
|-
| 981310
| UNKNOWN
|
|-
| 981311
| UNKNOWN
|
|-
| 981312
| UNKNOWN
|
|-
| 981313
| UNKNOWN
|
|-
| 981314
| UNKNOWN
|
|-
| 981315
| UNKNOWN
|
|-
| 981316
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 981317
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 990012
| Rogue web site crawler
|
|}

====Optional, experimental, slr rules====

{|- class="wikitable"
| 900048
| Identifies Reflected XSS (optional_rules)
| Walter: could be very interesting candidate but have not used it in production
|-
| 920021, 920022, 920023
| Possible Credit Card Track 1 Data Leakage. (experimental_rules)
| Walter: could be interesting candidates but have not used it in production
|-
| 981080, 920020, 920006
| Detect CC# in output and block transaction (optional_rules)
| Walter: could be interesting candidate but have not used it in production
|-
| 900047, 900048, 981180, 981182
| Identifies Stored XSS (optional_rules)
| Walter: could be somewhat interesting candidate but have not used it in production
|}

=== Stricter siblings for existing rules ===

Stricter Siblings are rules that are present in the CRS but could be accompanied by a stricter clone in Paranoia Mode. Adjustments can differ from rule to rule but include higher anomaly ratings or stricter triggers (e.g. regex counters). To prevent masses of false positives, rules can come with additional filters (chained rules) for common use-cases. These can either be included into Paranoia Mode or simply serve as a recommendation.

Note: To avoid a cluttered project main-page, rule proposals are documented in their respective sub-page. When adding new proposals, make sure adding the rules original (2.2.x) ID, a quick description of what changes were made, and, if applicable, which additional filters were added.

'''Possible siblings:'''

[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981049|981049 : Potential Denial of Service (DoS)]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981172|981172 : SQL Injection Character Anomaly Usage]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981173|981173 : SQL Injection Character Anomaly Usage]]

==Project Status==

===Project Status January 30, 2016===

<code>
Hello everybody,

It's time to do a status report of our little core rules project.

I am including Franziska Bühler and Walter Hop in this status mail.
Both are experienced ModSec sysadmins. Franziska contributed to this
first stage, Walter told me he does not have much time, but he
was interested in participating at least in the discussions about
the rules.

All in all, this is taking more time than anticipated. But we
have also done things very throughly than I thought. Which is
generally a good thing.

Done so far:
* Manuel has provided us with a list of rules removed between 2.2.x and 3.0.0rc1
* I have assembled a list of rules known to trigger false positives frequently in the 2.2.x ruleset, they are thus candidates for the paranoia mode
* Franziska has looked through the 3.0.0rc1 rules and identified a set of rules which look like good candidates.
* Noël has sharpened his skills by re-writing 981173 in a way that ignores innocent UUIDs. In my eyes, he found a very elegant solution.
* With the development of 3.0.0-dev, Chaim unfortunately reused rule ids formerly used with optional and experimental rules. Now this has all been renumbered. I have pointed this out in the mailinglist and had private contact with Chaim where he confirmed the fact - and promised to resolve the issue.

We have not really looked at the disappeared rules and identified those
who should be brought back and have not been picked so far. This
includes the 2.2.X base_rules, but also the optional, experimental,
and huge stock of slr rules. Of these three groups, only the
anti-ddos rules have made it into 3.0.0. There are probably more
interesting candidates.

If somebody among you wants to look into these, then that would be
welcome, but I do not want to have these tasks delay us any further.
After all, Old rules can also be brought back in subsequent releases
if we see a benefit.

So the next real tasks are:
* Looking through the list of candidates and cloning-candidates (the latter are those rules we might accompany with a clone with stricter limits in paranoia mode).
* Defining the exact working of the paranoia mode.

Please sit down and look through the rule lists in the wiki and add
remarks with regards to the candidate rules. If you think a rule
should be included, if you think an individual rule should not be
included etc.

I am also going to invite the people on the mailinglist to take look at
the rules as well and add their remarks in the wiki (or respond via mail).
This should allow us to nail down the list of rules which will
actually be included in the paranoia mode.

As for defining the exact working of the paranoia mode, I guess I
need to write down the idea I have in mind and see if it makes sense to
you.

Thank you for contributing so far! It is a lot of fun to work in a team!

Christian

</code>

OWASP ModSec CRS Paranoia Mode

2016-02-10T08:16:52Z

Zino: /* Stricter siblings for existing rules */

==Abstract==

This is a page about the development of a paranoia mode aka bringing back the rules that used to yield a high number of false positives. This little project is aimed at inclusion into the 3.0.0 release of the OWASP ModSecurity Core Rules, where some rules have been removed in order to reduce the number of false positives with vanilla installations.

FIXME: Detailed description

''Back to the [https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project OWASP ModSecurity Core Rules Set].''

==Sub-Project Infos==

* '''Status''': active (January 2016)
* '''Schedule''': Pull request in <strike>January</strike>February 2016
* '''Who''': Christian Folini (dune73), Noël Zindel (zino), Franziska Bühler (franziskabuehler), Manuel Leos (Spartan), Walter Hop (lifeforms)
* '''Documentation''': Here on the [https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode OWASP Wiki] / [https://www.netnea.com/cms/2016/02/04/owasp-modsecurity-core-rules-paranoia-mode-mechanics-proposal/ Mechanics Proposal]
* '''Discussion / Archive''': <tt>owasp-modsecurity-core-rule-set@lists.owasp.org</tt> / archive: http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/
* '''Github Link''': https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc1
* '''Final Pull Request''': FIXME

==Tasks==

===Open Tasks===

Please define state as follows: ''new'', ''assigned'', ''waiting'', ''closed''. When a task it is closed, it is moved to the seperate closed tasks table below.

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Nail down final list of rules which should be moved / recreated into the paranoia mode
| group
| assigned
|-
| Write new stricter siblings for existing rules
| Noël
| assigned
|-
| Define ID-space for strict siblings
| n.n.
| new
|-
| Sort out mechanics of the paranoia mode
| Christian
| assigned
|-
| Define exact syntax of paranoia mode setup
| Christian
| waiting
|-
| Sort out name: Is "Paranoia Mode" really the right term?
| Christian
| waiting
|-
| Write pull request
| n.n.
| new
|-
| Submit pull request
| n.n.
| new
|-
| Draw flowchart
| n.n.
| new
|-
| Write documentation
| n.n.
| new
|}

===Closed Tasks===

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Assemble list of rules, which triggered false positives in 2.2.X frequently
| Christian
| closed
|-
| Assemble list of 2.2.x rules, which have disappeared from 3.0.0-rc1
| Spartan
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be accompanied with stricter siblings in paranoia mode (same idea of the rule, but harder limit etc.)
| Christian
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be moved to the paranoia mode
| Franziska
| closed
|-
| Assemble list of disappeared / missing 2.2.X base_rules, which should be brought back
| group
| closed
|-
| Assemble list of 2.2.X optional and experimental rules, which should be brought back
| group
| closed (could be repeated more throughly)
|}

==Rules==

===Paranoia Mode Candidates===

The 3.0.0-rc1 has all rules renumbered. Existing numbering was fairly crazy and the new numbering follows the numbering scheme of the rules files (-> 9<2-digit-rulefile><3-digit-id>)
A mapping table exists [[https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/id_renumbering/IdNumbering.csv IdNumbering.csv]]
We need to make sure, we do not mess things up, so let's add both IDs to the table, the old one and the new one.

Please set status as follows : ''candidate'', ''cloning-candidate'', ''unsure'', ''dropped''.
* 'cloning-candidates' are rules, that could be cloned into an even stricter variant with a stricter limit in a higher paranoia setting.
* If dropped, please provide reasoning in the remarks.

{|- class="wikitable"
|'''RuleID 2.2.x'''
|'''RuleID 3.0.0-rc1'''
|         '''msg'''       
|    '''Status'''   
|    '''Remarks'''   
|-
| 900050
| 910100
| Client IP is from a HIGH Risk Country Location.
| unsure
| Franziska's candidate: Do we want to exlude countries? But then easy to configure.
|-
| 950001
| 942150
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: @pmf file with very short function names, could match frequently.
|-
| 950109
| 920230
| Multiple URL Encoding Detected
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 950120
| 931130
| Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
| candidate
| Walter's 2.2.X candidate: many FP; Chrstian: hardly any FPs, #discuss
|-
| 960335
| 920380
| Too many arguments in request
| candidate
| Walter's 2.2.X candidate: some FP (phpMyAdmin, large forms), alternatively would recommend raising <code>tx.max_num_args</code> to 1000
|-
| 950901
| 942130
| SQL Injection Attack: SQL Tautology Detected.
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: legitimate sentences could match. Walter's 2.2.x experience: many FP in natural text however the rule seems to have merit
|-
| 950907
| 932100
| System Command Injection
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: false positives possible because of @pmf, file with short cmds. Maybe we should split the data file #discuss
|-
| 950916
| 921170
| HTTP Header Injection Attack via payload (CR/LF detected)
| candidate
| Franziska's candidate: change action from pass to block and move to paranoia mode.
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| candidate
| Franziska's candidate: false positives possible because of @pmf, file with short function names. Maybe we should split the data file #discuss
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| candidate
| Franziska's candidate: false positives possible because of @pmf, file with short configuration directives.
|-
| 959070
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959071
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959072
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959073
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: very frequently false positives
|-
| 960015
| 920300
| Request Missing an Accept Header
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: many FP (PHP SoapClient)
|-
| 960017
| 920350
| Host header is a numeric IP address
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: low FP (almost all are mass scans) #discuss
|-
| 960024
| gone
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| candidate
| Christian's 2.2.X experience: very frequently false positives
|-
| 960035
| 920440
| URL file extension is restricted by policy
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 970901
| 950100
| The Application Returned a 500-Level Status Code
| candidate
| Franziska's candidate: too strict, too generic, no data leakage happened so far. Walter: it's useful however to prevent attacker from distinguishing between a failed SQLi attempt (403 blocked by ModSec) or a query error due to vulnerable app (500 from application) #discuss
|-
| 973300
| gone
| Possible XSS Attack Detected - HTML Tag Handler
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973332
| gone
| IE XSS Filters - Attack Detected.
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973333
| gone
| IE XSS Filters - Attack Detected.
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981172
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981173
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981231
| gone
| SQL Comment Sequence Detected.
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP but rule seems useful
|-
| 981240
| 942300
| Detects MySQL comments, conditions and ch(a)r injections
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981242
| 942330
| Detects classic SQL injection probings 1/2
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: one quote character already matches?? Walter: low FP, but seen in cookies injected by some US ISPs;
|-
| 981243
| 942370
| Detects classic SQL injection probings 2/2
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: medium FP
|-
| 981244
| 942180
| Detects basic SQL authentication bypass attempts 1/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP, #discuss
|-
| 981245
| 942260
| Detects basic SQL authentication bypass attempts 2/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981246
| 942340
| Detects basic SQL authentication bypass attempts 3/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981248
| 942210
| Detects chained SQL injection attempts 1/2
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: low FP, #discuss
|-
| 981249
| 942310
| Detects chained SQL injection attempts 2/2
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP but seen in very specific situations
|-
| 981257
| 942200
| Detects MySQL comment-/space-obfuscated injections and backtick termination
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981260
| gone
| SQL Hex Encoding Identified
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP in long random strings
|-
| 981318
| 942110
| SQL Injection Attack: Common Injection Testing Detected
| candidate
| Franziska's candidate: one quote character at the beginning/end really not legitimate? Walter 2.2.X candidate: frequent FP
|-
| 981319
| 942120
| SQL Injection Attack: SQL Operator Detected
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: very short operators or strings already match. Walter: some FP (WooCommerce)
|-
| 981049
| 912100
| Potential Denial of Service (DoS) Attack from ... - # of Request Bursts: ...
| cloning-candidate
| limit currently at 2; could be set to 1; now, the attacker has to exceed dos_counter_threshold twice. With full reset of counter after first hit. Source: 2.2.X->experimental rules
|-
| 960901
| 920270
| Invalid character in request
| cloning-candidate
| @validateByteRange 1-255; there was a conditional rule with stricter byterange 32-126 in 2.2.X as well
|-
| 970003
| 951100
| none
| cloning-candidate
| rule is only setting tx.sql_error_match. Could also trigger score directly
|-
| 950907
| 932100
| Remote Command Execution (RCE) Attempt
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958980
| 933130
| PHP Injection Attack: Variables Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 950001
| 942150
| SQL Injection Attack
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|}

===Rules from 2.2.X, missing in 3.0.0-rc1===

It looks as if only the base_rules made it into 3.0.0. In fact there are a few rule ids know from the optional and experimental rule folders in 2.2.X, but it is more likely, these are new 3.0.0 rules reusing old rule ids as the rules (regexes and msg) do not match at all.

When trying to generate the list below, be aware that the rule ids have been renumbered between 3.0.0-dev and 3.0.0-rc1. IdNumbering.csv in your friend.

====Base rules====

{|- class="wikitable"
|'''2.2.X rule id'''
|         '''msg'''       
|    '''remarks'''   
|-
| 950002
| System Command Access
|
|-
| 950006
| System Command Injection
|
|-
| 950007
| Blind SQL Injection Attack
|
|-
| 950008
| Injection of Undocumented ColdFusion Tags
|
|-
| 950010
| LDAP Injection Attack
|
|-
| 950011
| SSI injection Attack
|
|-
| 950018
| Universal PDF XSS URL Detected.
| Walter: medium FP (foo.pdf#javascript)
|-
| 950019
| Email Injection Attack
|
|-
| 950908
| SQL Injection Attack.
|
|-
| 950921
| Backdoor access
|
|-
| 950922
| Backdoor access
|
|-
| 958000
| Cross-site Scripting (XSS) Attack
|
|-
| 958001
| Cross-site Scripting (XSS) Attack
|
|-
| 958002
| Cross-site Scripting (XSS) Attack
|
|-
| 958003
| Cross-site Scripting (XSS) Attack
|
|-
| 958004
| Cross-site Scripting (XSS) Attack
|
|-
| 958005
| Cross-site Scripting (XSS) Attack
|
|-
| 958006
| Cross-site Scripting (XSS) Attack
|
|-
| 958007
| Cross-site Scripting (XSS) Attack
|
|-
| 958008
| Cross-site Scripting (XSS) Attack
|
|-
| 958009
| Cross-site Scripting (XSS) Attack
|
|-
| 958010
| Cross-site Scripting (XSS) Attack
|
|-
| 958011
| Cross-site Scripting (XSS) Attack
|
|-
| 958012
| Cross-site Scripting (XSS) Attack
|
|-
| 958013
| Cross-site Scripting (XSS) Attack
|
|-
| 958016
| Cross-site Scripting (XSS) Attack
|
|-
| 958017
| Cross-site Scripting (XSS) Attack
|
|-
| 958018
| Cross-site Scripting (XSS) Attack
|
|-
| 958019
| Cross-site Scripting (XSS) Attack
|
|-
| 958020
| Cross-site Scripting (XSS) Attack
|
|-
| 958022
| Cross-site Scripting (XSS) Attack
|
|-
| 958023
| Cross-site Scripting (XSS) Attack
|
|-
| 958024
| Cross-site Scripting (XSS) Attack
|
|-
| 958025
| Cross-site Scripting (XSS) Attack
|
|-
| 958026
| Cross-site Scripting (XSS) Attack
|
|-
| 958027
| Cross-site Scripting (XSS) Attack
|
|-
| 958028
| Cross-site Scripting (XSS) Attack
|
|-
| 958030
| Cross-site Scripting (XSS) Attack
|
|-
| 958031
| Cross-site Scripting (XSS) Attack
|
|-
| 958032
| Cross-site Scripting (XSS) Attack
|
|-
| 958033
| Cross-site Scripting (XSS) Attack
|
|-
| 958034
| Cross-site Scripting (XSS) Attack
|
|-
| 958036
| Cross-site Scripting (XSS) Attack
|
|-
| 958037
| Cross-site Scripting (XSS) Attack
|
|-
| 958038
| Cross-site Scripting (XSS) Attack
|
|-
| 958039
| Cross-site Scripting (XSS) Attack
|
|-
| 958040
| Cross-site Scripting (XSS) Attack
|
|-
| 958041
| Cross-site Scripting (XSS) Attack
|
|-
| 958045
| Cross-site Scripting (XSS) Attack
|
|-
| 958046
| Cross-site Scripting (XSS) Attack
|
|-
| 958047
| Cross-site Scripting (XSS) Attack
|
|-
| 958049
| Cross-site Scripting (XSS) Attack
|
|-
| 958051
| Cross-site Scripting (XSS) Attack
|
|-
| 958052
| Cross-site Scripting (XSS) Attack
|
|-
| 958054
| Cross-site Scripting (XSS) Attack
|
|-
| 958056
| Cross-site Scripting (XSS) Attack
|
|-
| 958057
| Cross-site Scripting (XSS) Attack
|
|-
| 958059
| Cross-site Scripting (XSS) Attack
|
|-
| 958291
| Range: field exists and begins with 0.
| Walter: high FP (Chrome PDF viewer) and not useful.
|-
| 958404
| Cross-site Scripting (XSS) Attack
|
|-
| 958405
| Cross-site Scripting (XSS) Attack
|
|-
| 958406
| Cross-site Scripting (XSS) Attack
|
|-
| 958407
| Cross-site Scripting (XSS) Attack
|
|-
| 958408
| Cross-site Scripting (XSS) Attack
|
|-
| 958409
| Cross-site Scripting (XSS) Attack
|
|-
| 958410
| Cross-site Scripting (XSS) Attack
|
|-
| 958411
| Cross-site Scripting (XSS) Attack
|
|-
| 958412
| Cross-site Scripting (XSS) Attack
|
|-
| 958413
| Cross-site Scripting (XSS) Attack
|
|-
| 958414
| Cross-site Scripting (XSS) Attack
|
|-
| 958415
| Cross-site Scripting (XSS) Attack
|
|-
| 958416
| Cross-site Scripting (XSS) Attack
|
|-
| 958417
| Cross-site Scripting (XSS) Attack
|
|-
| 958418
| Cross-site Scripting (XSS) Attack
|
|-
| 958419
| Cross-site Scripting (XSS) Attack
|
|-
| 958420
| Cross-site Scripting (XSS) Attack
|
|-
| 958421
| Cross-site Scripting (XSS) Attack
|
|-
| 958422
| Cross-site Scripting (XSS) Attack
|
|-
| 958423
| Cross-site Scripting (XSS) Attack
|
|-
| 958976
| PHP Injection Attack
|
|-
| 959070
| SQL Injection Attack
|
|-
| 959071
| SQL Injection Attack
|
|-
| 959072
| SQL Injection Attack
|
|-
| 959073
| SQL Injection Attack
|
|-
| 960014
| Proxy access attempt
|
|-
| 960018
| Invalid character in request
|
|-
| 960020
| Pragma Header requires Cache-Control Header for HTTP/1.1 requests.
| Walter: some FP
|-
| 960022
| UNKNOWN
|
|-
| 960024
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| Walter: many FP
|-
| 960902
| UNKNOWN
|
|-
| 960913
| Invalid request
|
|-
| 970007
| Zope Information Leakage
|
|-
| 970008
| Cold Fusion Information Leakage
|
|-
| 970010
| ISA server existence revealed
|
|-
| 970011
| File or Directory Names Leakage
|
|-
| 970012
| Microsoft Office document properties leakage
|
|-
| 970016
| Cold Fusion source code leakage
| Walter: some FP but not using this language
|-
| 970018
| IIS installed in default location
|
|-
| 970021
| WebLogic information disclosure
|
|-
| 970903
| ASP/JSP source code leakage
| Walter: some FP but not using this language
|-
| 973300
| Possible XSS Attack Detected - HTML Tag Handler
|
|-
| 973301
| XSS Attack Detected
|
|-
| 973302
| XSS Attack Detected
|
|-
| 973303
| XSS Attack Detected
|
|-
| 973304
| XSS Attack Detected
|
|-
| 973305
| XSS Attack Detected
|
|-
| 973306
| XSS Attack Detected
|
|-
| 973307
| XSS Attack Detected
|
|-
| 973308
| XSS Attack Detected
|
|-
| 973309
| XSS Attack Detected
|
|-
| 973310
| XSS Attack Detected
|
|-
| 973311
| XSS Attack Detected
|
|-
| 973312
| XSS Attack Detected
|
|-
| 973313
| XSS Attack Detected
|
|-
| 973314
| XSS Attack Detected
|
|-
| 973316
| IE XSS Filters - Attack Detected.
|
|-
| 973325
| IE XSS Filters - Attack Detected.
|
|-
| 973327
| IE XSS Filters - Attack Detected.
|
|-
| 973328
| IE XSS Filters - Attack Detected.
|
|-
| 973329
| IE XSS Filters - Attack Detected.
|
|-
| 973330
| IE XSS Filters - Attack Detected.
|
|-
| 973331
| IE XSS Filters - Attack Detected.
|
|-
| 973332
| IE XSS Filters - Attack Detected.
|
|-
| 973333
| IE XSS Filters - Attack Detected.
|
|-
| 973334
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973335
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973347
| IE XSS Filters - Attack Detected.
|
|-
| 981000
| Possibly malicious iframe tag in output
| Walter: medium FP
|-
| 981001
| Possibly malicious iframe tag in output
| Walter: medium FP (iframes with display:none)
|-
| 981003
| Malicious iframe+javascript tag in output
|
|-
| 981004
| Potential Obfuscated Javascript in Output - Excessive fromCharCode
| Walter: many FP (Wordpress 4.4 inlined emoji javascripts)
|-
| 981005
| Potential Obfuscated Javascript in Output - Eval+Unescape
|
|-
| 981006
| Potential Obfuscated Javascript in Output - Unescape
|
|-
| 981007
| Potential Obfuscated Javascript in Output - Heap Spray
|
|-
| 981018
| UNKNOWN
|
|-
| 981022
| UNKNOWN
|
|-
| 981133
| UNKNOWN
|
|-
| 981134
| UNKNOWN
|
|-
| 981136
| UNKNOWN
|
|-
| 981172
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981173
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981177
| UNKNOWN
|
|-
| 981178
| UNKNOWN
|
|-
| 981231
| SQL Comment Sequence Detected.
|
|-
| 981260
| SQL Hex Encoding Identified
|
|-
| 981300
| UNKNOWN
|
|-
| 981301
| UNKNOWN
|
|-
| 981302
| UNKNOWN
|
|-
| 981303
| UNKNOWN
|
|-
| 981304
| UNKNOWN
|
|-
| 981305
| UNKNOWN
|
|-
| 981306
| UNKNOWN
|
|-
| 981307
| UNKNOWN
|
|-
| 981308
| UNKNOWN
|
|-
| 981309
| UNKNOWN
|
|-
| 981310
| UNKNOWN
|
|-
| 981311
| UNKNOWN
|
|-
| 981312
| UNKNOWN
|
|-
| 981313
| UNKNOWN
|
|-
| 981314
| UNKNOWN
|
|-
| 981315
| UNKNOWN
|
|-
| 981316
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 981317
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 990012
| Rogue web site crawler
|
|}

====Optional, experimental, slr rules====

{|- class="wikitable"
| 900048
| Identifies Reflected XSS (optional_rules)
| Walter: could be very interesting candidate but have not used it in production
|-
| 920021, 920022, 920023
| Possible Credit Card Track 1 Data Leakage. (experimental_rules)
| Walter: could be interesting candidates but have not used it in production
|-
| 981080, 920020, 920006
| Detect CC# in output and block transaction (optional_rules)
| Walter: could be interesting candidate but have not used it in production
|-
| 900047, 900048, 981180, 981182
| Identifies Stored XSS (optional_rules)
| Walter: could be somewhat interesting candidate but have not used it in production
|}

=== Stricter siblings for existing rules ===

Stricter Siblings are rules that are present in the CRS but could be accompanied by a stricter clone in Paranoia Mode. Adjustments can differ from rule to rule but include higher anomaly ratings or stricter triggers (e.g. regex counters). To prevent masses of false positives, rules can come with additional filters (chained rules) for common use-cases. These can either be included into Paranoia Mode or simply serve as a recommendation.

Note: To avoid a cluttered project main-page, rule proposals are documented in their respective sub-page. When adding new proposals, make sure adding the rules original (2.2.x) ID, a quick description of what changes were made, and, if applicable, which additional filters were added.

'''Possible siblings:'''

[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981049|981049 : SQL Injection Character Anomaly Usage]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981172|981172 : SQL Injection Character Anomaly Usage]] 
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981173|981173 : SQL Injection Character Anomaly Usage]]

==Project Status==

===Project Status January 30, 2016===

<code>
Hello everybody,

It's time to do a status report of our little core rules project.

I am including Franziska Bühler and Walter Hop in this status mail.
Both are experienced ModSec sysadmins. Franziska contributed to this
first stage, Walter told me he does not have much time, but he
was interested in participating at least in the discussions about
the rules.

All in all, this is taking more time than anticipated. But we
have also done things very throughly than I thought. Which is
generally a good thing.

Done so far:
* Manuel has provided us with a list of rules removed between 2.2.x and 3.0.0rc1
* I have assembled a list of rules known to trigger false positives frequently in the 2.2.x ruleset, they are thus candidates for the paranoia mode
* Franziska has looked through the 3.0.0rc1 rules and identified a set of rules which look like good candidates.
* Noël has sharpened his skills by re-writing 981173 in a way that ignores innocent UUIDs. In my eyes, he found a very elegant solution.
* With the development of 3.0.0-dev, Chaim unfortunately reused rule ids formerly used with optional and experimental rules. Now this has all been renumbered. I have pointed this out in the mailinglist and had private contact with Chaim where he confirmed the fact - and promised to resolve the issue.

We have not really looked at the disappeared rules and identified those
who should be brought back and have not been picked so far. This
includes the 2.2.X base_rules, but also the optional, experimental,
and huge stock of slr rules. Of these three groups, only the
anti-ddos rules have made it into 3.0.0. There are probably more
interesting candidates.

If somebody among you wants to look into these, then that would be
welcome, but I do not want to have these tasks delay us any further.
After all, Old rules can also be brought back in subsequent releases
if we see a benefit.

So the next real tasks are:
* Looking through the list of candidates and cloning-candidates (the latter are those rules we might accompany with a clone with stricter limits in paranoia mode).
* Defining the exact working of the paranoia mode.

Please sit down and look through the rule lists in the wiki and add
remarks with regards to the candidate rules. If you think a rule
should be included, if you think an individual rule should not be
included etc.

I am also going to invite the people on the mailinglist to take look at
the rules as well and add their remarks in the wiki (or respond via mail).
This should allow us to nail down the list of rules which will
actually be included in the paranoia mode.

As for defining the exact working of the paranoia mode, I guess I
need to write down the idea I have in mind and see if it makes sense to
you.

Thank you for contributing so far! It is a lot of fun to work in a team!

Christian

</code>

OWASP ModSec CRS Paranoia Mode

2016-02-10T08:16:21Z

Zino: /* Stricter siblings for existing rules */ added two more cloning candidates

==Abstract==

This is a page about the development of a paranoia mode aka bringing back the rules that used to yield a high number of false positives. This little project is aimed at inclusion into the 3.0.0 release of the OWASP ModSecurity Core Rules, where some rules have been removed in order to reduce the number of false positives with vanilla installations.

FIXME: Detailed description

''Back to the [https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project OWASP ModSecurity Core Rules Set].''

==Sub-Project Infos==

* '''Status''': active (January 2016)
* '''Schedule''': Pull request in <strike>January</strike>February 2016
* '''Who''': Christian Folini (dune73), Noël Zindel (zino), Franziska Bühler (franziskabuehler), Manuel Leos (Spartan), Walter Hop (lifeforms)
* '''Documentation''': Here on the [https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode OWASP Wiki] / [https://www.netnea.com/cms/2016/02/04/owasp-modsecurity-core-rules-paranoia-mode-mechanics-proposal/ Mechanics Proposal]
* '''Discussion / Archive''': <tt>owasp-modsecurity-core-rule-set@lists.owasp.org</tt> / archive: http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/
* '''Github Link''': https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc1
* '''Final Pull Request''': FIXME

==Tasks==

===Open Tasks===

Please define state as follows: ''new'', ''assigned'', ''waiting'', ''closed''. When a task it is closed, it is moved to the seperate closed tasks table below.

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Nail down final list of rules which should be moved / recreated into the paranoia mode
| group
| assigned
|-
| Write new stricter siblings for existing rules
| Noël
| assigned
|-
| Define ID-space for strict siblings
| n.n.
| new
|-
| Sort out mechanics of the paranoia mode
| Christian
| assigned
|-
| Define exact syntax of paranoia mode setup
| Christian
| waiting
|-
| Sort out name: Is "Paranoia Mode" really the right term?
| Christian
| waiting
|-
| Write pull request
| n.n.
| new
|-
| Submit pull request
| n.n.
| new
|-
| Draw flowchart
| n.n.
| new
|-
| Write documentation
| n.n.
| new
|}

===Closed Tasks===

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Assemble list of rules, which triggered false positives in 2.2.X frequently
| Christian
| closed
|-
| Assemble list of 2.2.x rules, which have disappeared from 3.0.0-rc1
| Spartan
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be accompanied with stricter siblings in paranoia mode (same idea of the rule, but harder limit etc.)
| Christian
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be moved to the paranoia mode
| Franziska
| closed
|-
| Assemble list of disappeared / missing 2.2.X base_rules, which should be brought back
| group
| closed
|-
| Assemble list of 2.2.X optional and experimental rules, which should be brought back
| group
| closed (could be repeated more throughly)
|}

==Rules==

===Paranoia Mode Candidates===

The 3.0.0-rc1 has all rules renumbered. Existing numbering was fairly crazy and the new numbering follows the numbering scheme of the rules files (-> 9<2-digit-rulefile><3-digit-id>)
A mapping table exists [[https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/id_renumbering/IdNumbering.csv IdNumbering.csv]]
We need to make sure, we do not mess things up, so let's add both IDs to the table, the old one and the new one.

Please set status as follows : ''candidate'', ''cloning-candidate'', ''unsure'', ''dropped''.
* 'cloning-candidates' are rules, that could be cloned into an even stricter variant with a stricter limit in a higher paranoia setting.
* If dropped, please provide reasoning in the remarks.

{|- class="wikitable"
|'''RuleID 2.2.x'''
|'''RuleID 3.0.0-rc1'''
|         '''msg'''       
|    '''Status'''   
|    '''Remarks'''   
|-
| 900050
| 910100
| Client IP is from a HIGH Risk Country Location.
| unsure
| Franziska's candidate: Do we want to exlude countries? But then easy to configure.
|-
| 950001
| 942150
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: @pmf file with very short function names, could match frequently.
|-
| 950109
| 920230
| Multiple URL Encoding Detected
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 950120
| 931130
| Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
| candidate
| Walter's 2.2.X candidate: many FP; Chrstian: hardly any FPs, #discuss
|-
| 960335
| 920380
| Too many arguments in request
| candidate
| Walter's 2.2.X candidate: some FP (phpMyAdmin, large forms), alternatively would recommend raising <code>tx.max_num_args</code> to 1000
|-
| 950901
| 942130
| SQL Injection Attack: SQL Tautology Detected.
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: legitimate sentences could match. Walter's 2.2.x experience: many FP in natural text however the rule seems to have merit
|-
| 950907
| 932100
| System Command Injection
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: false positives possible because of @pmf, file with short cmds. Maybe we should split the data file #discuss
|-
| 950916
| 921170
| HTTP Header Injection Attack via payload (CR/LF detected)
| candidate
| Franziska's candidate: change action from pass to block and move to paranoia mode.
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| candidate
| Franziska's candidate: false positives possible because of @pmf, file with short function names. Maybe we should split the data file #discuss
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| candidate
| Franziska's candidate: false positives possible because of @pmf, file with short configuration directives.
|-
| 959070
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959071
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959072
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959073
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: very frequently false positives
|-
| 960015
| 920300
| Request Missing an Accept Header
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: many FP (PHP SoapClient)
|-
| 960017
| 920350
| Host header is a numeric IP address
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: low FP (almost all are mass scans) #discuss
|-
| 960024
| gone
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| candidate
| Christian's 2.2.X experience: very frequently false positives
|-
| 960035
| 920440
| URL file extension is restricted by policy
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 970901
| 950100
| The Application Returned a 500-Level Status Code
| candidate
| Franziska's candidate: too strict, too generic, no data leakage happened so far. Walter: it's useful however to prevent attacker from distinguishing between a failed SQLi attempt (403 blocked by ModSec) or a query error due to vulnerable app (500 from application) #discuss
|-
| 973300
| gone
| Possible XSS Attack Detected - HTML Tag Handler
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973332
| gone
| IE XSS Filters - Attack Detected.
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973333
| gone
| IE XSS Filters - Attack Detected.
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981172
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981173
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981231
| gone
| SQL Comment Sequence Detected.
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP but rule seems useful
|-
| 981240
| 942300
| Detects MySQL comments, conditions and ch(a)r injections
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981242
| 942330
| Detects classic SQL injection probings 1/2
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: one quote character already matches?? Walter: low FP, but seen in cookies injected by some US ISPs;
|-
| 981243
| 942370
| Detects classic SQL injection probings 2/2
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: medium FP
|-
| 981244
| 942180
| Detects basic SQL authentication bypass attempts 1/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP, #discuss
|-
| 981245
| 942260
| Detects basic SQL authentication bypass attempts 2/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981246
| 942340
| Detects basic SQL authentication bypass attempts 3/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981248
| 942210
| Detects chained SQL injection attempts 1/2
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: low FP, #discuss
|-
| 981249
| 942310
| Detects chained SQL injection attempts 2/2
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP but seen in very specific situations
|-
| 981257
| 942200
| Detects MySQL comment-/space-obfuscated injections and backtick termination
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981260
| gone
| SQL Hex Encoding Identified
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP in long random strings
|-
| 981318
| 942110
| SQL Injection Attack: Common Injection Testing Detected
| candidate
| Franziska's candidate: one quote character at the beginning/end really not legitimate? Walter 2.2.X candidate: frequent FP
|-
| 981319
| 942120
| SQL Injection Attack: SQL Operator Detected
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: very short operators or strings already match. Walter: some FP (WooCommerce)
|-
| 981049
| 912100
| Potential Denial of Service (DoS) Attack from ... - # of Request Bursts: ...
| cloning-candidate
| limit currently at 2; could be set to 1; now, the attacker has to exceed dos_counter_threshold twice. With full reset of counter after first hit. Source: 2.2.X->experimental rules
|-
| 960901
| 920270
| Invalid character in request
| cloning-candidate
| @validateByteRange 1-255; there was a conditional rule with stricter byterange 32-126 in 2.2.X as well
|-
| 970003
| 951100
| none
| cloning-candidate
| rule is only setting tx.sql_error_match. Could also trigger score directly
|-
| 950907
| 932100
| Remote Command Execution (RCE) Attempt
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958980
| 933130
| PHP Injection Attack: Variables Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 950001
| 942150
| SQL Injection Attack
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|}

===Rules from 2.2.X, missing in 3.0.0-rc1===

It looks as if only the base_rules made it into 3.0.0. In fact there are a few rule ids know from the optional and experimental rule folders in 2.2.X, but it is more likely, these are new 3.0.0 rules reusing old rule ids as the rules (regexes and msg) do not match at all.

When trying to generate the list below, be aware that the rule ids have been renumbered between 3.0.0-dev and 3.0.0-rc1. IdNumbering.csv in your friend.

====Base rules====

{|- class="wikitable"
|'''2.2.X rule id'''
|         '''msg'''       
|    '''remarks'''   
|-
| 950002
| System Command Access
|
|-
| 950006
| System Command Injection
|
|-
| 950007
| Blind SQL Injection Attack
|
|-
| 950008
| Injection of Undocumented ColdFusion Tags
|
|-
| 950010
| LDAP Injection Attack
|
|-
| 950011
| SSI injection Attack
|
|-
| 950018
| Universal PDF XSS URL Detected.
| Walter: medium FP (foo.pdf#javascript)
|-
| 950019
| Email Injection Attack
|
|-
| 950908
| SQL Injection Attack.
|
|-
| 950921
| Backdoor access
|
|-
| 950922
| Backdoor access
|
|-
| 958000
| Cross-site Scripting (XSS) Attack
|
|-
| 958001
| Cross-site Scripting (XSS) Attack
|
|-
| 958002
| Cross-site Scripting (XSS) Attack
|
|-
| 958003
| Cross-site Scripting (XSS) Attack
|
|-
| 958004
| Cross-site Scripting (XSS) Attack
|
|-
| 958005
| Cross-site Scripting (XSS) Attack
|
|-
| 958006
| Cross-site Scripting (XSS) Attack
|
|-
| 958007
| Cross-site Scripting (XSS) Attack
|
|-
| 958008
| Cross-site Scripting (XSS) Attack
|
|-
| 958009
| Cross-site Scripting (XSS) Attack
|
|-
| 958010
| Cross-site Scripting (XSS) Attack
|
|-
| 958011
| Cross-site Scripting (XSS) Attack
|
|-
| 958012
| Cross-site Scripting (XSS) Attack
|
|-
| 958013
| Cross-site Scripting (XSS) Attack
|
|-
| 958016
| Cross-site Scripting (XSS) Attack
|
|-
| 958017
| Cross-site Scripting (XSS) Attack
|
|-
| 958018
| Cross-site Scripting (XSS) Attack
|
|-
| 958019
| Cross-site Scripting (XSS) Attack
|
|-
| 958020
| Cross-site Scripting (XSS) Attack
|
|-
| 958022
| Cross-site Scripting (XSS) Attack
|
|-
| 958023
| Cross-site Scripting (XSS) Attack
|
|-
| 958024
| Cross-site Scripting (XSS) Attack
|
|-
| 958025
| Cross-site Scripting (XSS) Attack
|
|-
| 958026
| Cross-site Scripting (XSS) Attack
|
|-
| 958027
| Cross-site Scripting (XSS) Attack
|
|-
| 958028
| Cross-site Scripting (XSS) Attack
|
|-
| 958030
| Cross-site Scripting (XSS) Attack
|
|-
| 958031
| Cross-site Scripting (XSS) Attack
|
|-
| 958032
| Cross-site Scripting (XSS) Attack
|
|-
| 958033
| Cross-site Scripting (XSS) Attack
|
|-
| 958034
| Cross-site Scripting (XSS) Attack
|
|-
| 958036
| Cross-site Scripting (XSS) Attack
|
|-
| 958037
| Cross-site Scripting (XSS) Attack
|
|-
| 958038
| Cross-site Scripting (XSS) Attack
|
|-
| 958039
| Cross-site Scripting (XSS) Attack
|
|-
| 958040
| Cross-site Scripting (XSS) Attack
|
|-
| 958041
| Cross-site Scripting (XSS) Attack
|
|-
| 958045
| Cross-site Scripting (XSS) Attack
|
|-
| 958046
| Cross-site Scripting (XSS) Attack
|
|-
| 958047
| Cross-site Scripting (XSS) Attack
|
|-
| 958049
| Cross-site Scripting (XSS) Attack
|
|-
| 958051
| Cross-site Scripting (XSS) Attack
|
|-
| 958052
| Cross-site Scripting (XSS) Attack
|
|-
| 958054
| Cross-site Scripting (XSS) Attack
|
|-
| 958056
| Cross-site Scripting (XSS) Attack
|
|-
| 958057
| Cross-site Scripting (XSS) Attack
|
|-
| 958059
| Cross-site Scripting (XSS) Attack
|
|-
| 958291
| Range: field exists and begins with 0.
| Walter: high FP (Chrome PDF viewer) and not useful.
|-
| 958404
| Cross-site Scripting (XSS) Attack
|
|-
| 958405
| Cross-site Scripting (XSS) Attack
|
|-
| 958406
| Cross-site Scripting (XSS) Attack
|
|-
| 958407
| Cross-site Scripting (XSS) Attack
|
|-
| 958408
| Cross-site Scripting (XSS) Attack
|
|-
| 958409
| Cross-site Scripting (XSS) Attack
|
|-
| 958410
| Cross-site Scripting (XSS) Attack
|
|-
| 958411
| Cross-site Scripting (XSS) Attack
|
|-
| 958412
| Cross-site Scripting (XSS) Attack
|
|-
| 958413
| Cross-site Scripting (XSS) Attack
|
|-
| 958414
| Cross-site Scripting (XSS) Attack
|
|-
| 958415
| Cross-site Scripting (XSS) Attack
|
|-
| 958416
| Cross-site Scripting (XSS) Attack
|
|-
| 958417
| Cross-site Scripting (XSS) Attack
|
|-
| 958418
| Cross-site Scripting (XSS) Attack
|
|-
| 958419
| Cross-site Scripting (XSS) Attack
|
|-
| 958420
| Cross-site Scripting (XSS) Attack
|
|-
| 958421
| Cross-site Scripting (XSS) Attack
|
|-
| 958422
| Cross-site Scripting (XSS) Attack
|
|-
| 958423
| Cross-site Scripting (XSS) Attack
|
|-
| 958976
| PHP Injection Attack
|
|-
| 959070
| SQL Injection Attack
|
|-
| 959071
| SQL Injection Attack
|
|-
| 959072
| SQL Injection Attack
|
|-
| 959073
| SQL Injection Attack
|
|-
| 960014
| Proxy access attempt
|
|-
| 960018
| Invalid character in request
|
|-
| 960020
| Pragma Header requires Cache-Control Header for HTTP/1.1 requests.
| Walter: some FP
|-
| 960022
| UNKNOWN
|
|-
| 960024
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| Walter: many FP
|-
| 960902
| UNKNOWN
|
|-
| 960913
| Invalid request
|
|-
| 970007
| Zope Information Leakage
|
|-
| 970008
| Cold Fusion Information Leakage
|
|-
| 970010
| ISA server existence revealed
|
|-
| 970011
| File or Directory Names Leakage
|
|-
| 970012
| Microsoft Office document properties leakage
|
|-
| 970016
| Cold Fusion source code leakage
| Walter: some FP but not using this language
|-
| 970018
| IIS installed in default location
|
|-
| 970021
| WebLogic information disclosure
|
|-
| 970903
| ASP/JSP source code leakage
| Walter: some FP but not using this language
|-
| 973300
| Possible XSS Attack Detected - HTML Tag Handler
|
|-
| 973301
| XSS Attack Detected
|
|-
| 973302
| XSS Attack Detected
|
|-
| 973303
| XSS Attack Detected
|
|-
| 973304
| XSS Attack Detected
|
|-
| 973305
| XSS Attack Detected
|
|-
| 973306
| XSS Attack Detected
|
|-
| 973307
| XSS Attack Detected
|
|-
| 973308
| XSS Attack Detected
|
|-
| 973309
| XSS Attack Detected
|
|-
| 973310
| XSS Attack Detected
|
|-
| 973311
| XSS Attack Detected
|
|-
| 973312
| XSS Attack Detected
|
|-
| 973313
| XSS Attack Detected
|
|-
| 973314
| XSS Attack Detected
|
|-
| 973316
| IE XSS Filters - Attack Detected.
|
|-
| 973325
| IE XSS Filters - Attack Detected.
|
|-
| 973327
| IE XSS Filters - Attack Detected.
|
|-
| 973328
| IE XSS Filters - Attack Detected.
|
|-
| 973329
| IE XSS Filters - Attack Detected.
|
|-
| 973330
| IE XSS Filters - Attack Detected.
|
|-
| 973331
| IE XSS Filters - Attack Detected.
|
|-
| 973332
| IE XSS Filters - Attack Detected.
|
|-
| 973333
| IE XSS Filters - Attack Detected.
|
|-
| 973334
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973335
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973347
| IE XSS Filters - Attack Detected.
|
|-
| 981000
| Possibly malicious iframe tag in output
| Walter: medium FP
|-
| 981001
| Possibly malicious iframe tag in output
| Walter: medium FP (iframes with display:none)
|-
| 981003
| Malicious iframe+javascript tag in output
|
|-
| 981004
| Potential Obfuscated Javascript in Output - Excessive fromCharCode
| Walter: many FP (Wordpress 4.4 inlined emoji javascripts)
|-
| 981005
| Potential Obfuscated Javascript in Output - Eval+Unescape
|
|-
| 981006
| Potential Obfuscated Javascript in Output - Unescape
|
|-
| 981007
| Potential Obfuscated Javascript in Output - Heap Spray
|
|-
| 981018
| UNKNOWN
|
|-
| 981022
| UNKNOWN
|
|-
| 981133
| UNKNOWN
|
|-
| 981134
| UNKNOWN
|
|-
| 981136
| UNKNOWN
|
|-
| 981172
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981173
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981177
| UNKNOWN
|
|-
| 981178
| UNKNOWN
|
|-
| 981231
| SQL Comment Sequence Detected.
|
|-
| 981260
| SQL Hex Encoding Identified
|
|-
| 981300
| UNKNOWN
|
|-
| 981301
| UNKNOWN
|
|-
| 981302
| UNKNOWN
|
|-
| 981303
| UNKNOWN
|
|-
| 981304
| UNKNOWN
|
|-
| 981305
| UNKNOWN
|
|-
| 981306
| UNKNOWN
|
|-
| 981307
| UNKNOWN
|
|-
| 981308
| UNKNOWN
|
|-
| 981309
| UNKNOWN
|
|-
| 981310
| UNKNOWN
|
|-
| 981311
| UNKNOWN
|
|-
| 981312
| UNKNOWN
|
|-
| 981313
| UNKNOWN
|
|-
| 981314
| UNKNOWN
|
|-
| 981315
| UNKNOWN
|
|-
| 981316
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 981317
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 990012
| Rogue web site crawler
|
|}

====Optional, experimental, slr rules====

{|- class="wikitable"
| 900048
| Identifies Reflected XSS (optional_rules)
| Walter: could be very interesting candidate but have not used it in production
|-
| 920021, 920022, 920023
| Possible Credit Card Track 1 Data Leakage. (experimental_rules)
| Walter: could be interesting candidates but have not used it in production
|-
| 981080, 920020, 920006
| Detect CC# in output and block transaction (optional_rules)
| Walter: could be interesting candidate but have not used it in production
|-
| 900047, 900048, 981180, 981182
| Identifies Stored XSS (optional_rules)
| Walter: could be somewhat interesting candidate but have not used it in production
|}

=== Stricter siblings for existing rules ===

Stricter Siblings are rules that are present in the CRS but could be accompanied by a stricter clone in Paranoia Mode. Adjustments can differ from rule to rule but include higher anomaly ratings or stricter triggers (e.g. regex counters). To prevent masses of false positives, rules can come with additional filters (chained rules) for common use-cases. These can either be included into Paranoia Mode or simply serve as a recommendation.

Note: To avoid a cluttered project main-page, rule proposals are documented in their respective sub-page. When adding new proposals, make sure adding the rules original (2.2.x) ID, a quick description of what changes were made, and, if applicable, which additional filters were added.

'''Possible siblings:'''

[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981049|981049 : SQL Injection Character Anomaly Usage]]
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981172|981172 : SQL Injection Character Anomaly Usage]]
[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981173|981173 : SQL Injection Character Anomaly Usage]]

==Project Status==

===Project Status January 30, 2016===

<code>
Hello everybody,

It's time to do a status report of our little core rules project.

I am including Franziska Bühler and Walter Hop in this status mail.
Both are experienced ModSec sysadmins. Franziska contributed to this
first stage, Walter told me he does not have much time, but he
was interested in participating at least in the discussions about
the rules.

All in all, this is taking more time than anticipated. But we
have also done things very throughly than I thought. Which is
generally a good thing.

Done so far:
* Manuel has provided us with a list of rules removed between 2.2.x and 3.0.0rc1
* I have assembled a list of rules known to trigger false positives frequently in the 2.2.x ruleset, they are thus candidates for the paranoia mode
* Franziska has looked through the 3.0.0rc1 rules and identified a set of rules which look like good candidates.
* Noël has sharpened his skills by re-writing 981173 in a way that ignores innocent UUIDs. In my eyes, he found a very elegant solution.
* With the development of 3.0.0-dev, Chaim unfortunately reused rule ids formerly used with optional and experimental rules. Now this has all been renumbered. I have pointed this out in the mailinglist and had private contact with Chaim where he confirmed the fact - and promised to resolve the issue.

We have not really looked at the disappeared rules and identified those
who should be brought back and have not been picked so far. This
includes the 2.2.X base_rules, but also the optional, experimental,
and huge stock of slr rules. Of these three groups, only the
anti-ddos rules have made it into 3.0.0. There are probably more
interesting candidates.

If somebody among you wants to look into these, then that would be
welcome, but I do not want to have these tasks delay us any further.
After all, Old rules can also be brought back in subsequent releases
if we see a benefit.

So the next real tasks are:
* Looking through the list of candidates and cloning-candidates (the latter are those rules we might accompany with a clone with stricter limits in paranoia mode).
* Defining the exact working of the paranoia mode.

Please sit down and look through the rule lists in the wiki and add
remarks with regards to the candidate rules. If you think a rule
should be included, if you think an individual rule should not be
included etc.

I am also going to invite the people on the mailinglist to take look at
the rules as well and add their remarks in the wiki (or respond via mail).
This should allow us to nail down the list of rules which will
actually be included in the paranoia mode.

As for defining the exact working of the paranoia mode, I guess I
need to write down the idea I have in mind and see if it makes sense to
you.

Thank you for contributing so far! It is a lot of fun to work in a team!

Christian

</code>

OWASP ModSec CRS Paranoia Mode Sibling 981173

2016-02-10T08:05:52Z

Zino: /* 981173 : SQL Injection Character Anomaly Usage */ - table added for clearness

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''
== 981173 : SQL Injection Character Anomaly Usage ==

{|- class="wikitable"
| '''Original ID (2.2.x)'''
| '''Change'''
| '''Whitelisting'''
|-
| 981173
| Regex counter decreased from 4 to 1. Anomaly scoring increased to critical.
| Regex for UUIDs in chained Rule.
|}

#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.9 Rule 981173.
# The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
# For dealing with false positives, UUID format is whitelisted with a chained rule.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level 40',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"

OWASP ModSec CRS Paranoia Mode Sibling 981173

2016-02-10T05:33:23Z

Zino:

''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''
==== 981173 : SQL Injection Character Anomaly Usage ====

Original ID (2.2.X): 981173 
Change: Regex counter decreased to '1', anomaly score set to 'critical', paranoia tag added 
FP Filter: UUIDs 

#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.9 Rule 981173.
# The regex limit is set to {1,}, adjust to your own needs.
# For dealing with false positives caused by uuids, the rule is now chained.
# Also the anomaly score is now set to critical.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level 40',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"

OWASP ModSec CRS Paranoia Mode Sibling 981173

2016-02-10T05:25:15Z

Zino: Created page with "==== 981173 : SQL Injection Character Anomaly Usage ==== Original ID (2.2.X): 981173 Change: Regex counter decreased to '1', anomaly score set to 'critical', paranoia tag..."

==== 981173 : SQL Injection Character Anomaly Usage ====

Original ID (2.2.X): 981173 
Change: Regex counter decreased to '1', anomaly score set to 'critical', paranoia tag added 
FP Filter: UUIDs 

#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.9 Rule 981173.
# The regex limit is set to {1,}, adjust to your own needs.
# For dealing with false positives caused by uuids, the rule is now chained.
# Also the anomaly score is now set to critical.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level 40',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"

OWASP ModSec CRS Paranoia Mode

2016-02-10T05:23:43Z

Zino: /* Stricter siblings for existing rules */ - Rewrote description, moved siblings to sub-pages

==Abstract==

This is a page about the development of a paranoia mode aka bringing back the rules that used to yield a high number of false positives. This little project is aimed at inclusion into the 3.0.0 release of the OWASP ModSecurity Core Rules, where some rules have been removed in order to reduce the number of false positives with vanilla installations.

FIXME: Detailed description

''Back to the [https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project OWASP ModSecurity Core Rules Set].''

==Sub-Project Infos==

* '''Status''': active (January 2016)
* '''Schedule''': Pull request in <strike>January</strike>February 2016
* '''Who''': Christian Folini (dune73), Noël Zindel (zino), Franziska Bühler (franziskabuehler), Manuel Leos (Spartan), Walter Hop (lifeforms)
* '''Documentation''': Here on the [https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode OWASP Wiki] / [https://www.netnea.com/cms/2016/02/04/owasp-modsecurity-core-rules-paranoia-mode-mechanics-proposal/ Mechanics Proposal]
* '''Discussion / Archive''': <tt>owasp-modsecurity-core-rule-set@lists.owasp.org</tt> / archive: http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/
* '''Github Link''': https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc1
* '''Final Pull Request''': FIXME

==Tasks==

===Open Tasks===

Please define state as follows: ''new'', ''assigned'', ''waiting'', ''closed''. When a task it is closed, it is moved to the seperate closed tasks table below.

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Nail down final list of rules which should be moved / recreated into the paranoia mode
| group
| assigned
|-
| Write new stricter siblings for existing rules
| Noël
| assigned
|-
| Define ID-space for strict siblings
| n.n.
| new
|-
| Sort out mechanics of the paranoia mode
| Christian
| assigned
|-
| Define exact syntax of paranoia mode setup
| Christian
| waiting
|-
| Sort out name: Is "Paranoia Mode" really the right term?
| Christian
| waiting
|-
| Write pull request
| n.n.
| new
|-
| Submit pull request
| n.n.
| new
|-
| Draw flowchart
| n.n.
| new
|-
| Write documentation
| n.n.
| new
|}

===Closed Tasks===

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Assemble list of rules, which triggered false positives in 2.2.X frequently
| Christian
| closed
|-
| Assemble list of 2.2.x rules, which have disappeared from 3.0.0-rc1
| Spartan
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be accompanied with stricter siblings in paranoia mode (same idea of the rule, but harder limit etc.)
| Christian
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be moved to the paranoia mode
| Franziska
| closed
|-
| Assemble list of disappeared / missing 2.2.X base_rules, which should be brought back
| group
| closed
|-
| Assemble list of 2.2.X optional and experimental rules, which should be brought back
| group
| closed (could be repeated more throughly)
|}

==Rules==

===Paranoia Mode Candidates===

The 3.0.0-rc1 has all rules renumbered. Existing numbering was fairly crazy and the new numbering follows the numbering scheme of the rules files (-> 9<2-digit-rulefile><3-digit-id>)
A mapping table exists [[https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/id_renumbering/IdNumbering.csv IdNumbering.csv]]
We need to make sure, we do not mess things up, so let's add both IDs to the table, the old one and the new one.

Please set status as follows : ''candidate'', ''cloning-candidate'', ''unsure'', ''dropped''.
* 'cloning-candidates' are rules, that could be cloned into an even stricter variant with a stricter limit in a higher paranoia setting.
* If dropped, please provide reasoning in the remarks.

{|- class="wikitable"
|'''RuleID 2.2.x'''
|'''RuleID 3.0.0-rc1'''
|         '''msg'''       
|    '''Status'''   
|    '''Remarks'''   
|-
| 900050
| 910100
| Client IP is from a HIGH Risk Country Location.
| unsure
| Franziska's candidate: Do we want to exlude countries? But then easy to configure.
|-
| 950001
| 942150
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: @pmf file with very short function names, could match frequently.
|-
| 950109
| 920230
| Multiple URL Encoding Detected
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 950120
| 931130
| Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
| candidate
| Walter's 2.2.X candidate: many FP; Chrstian: hardly any FPs, #discuss
|-
| 960335
| 920380
| Too many arguments in request
| candidate
| Walter's 2.2.X candidate: some FP (phpMyAdmin, large forms), alternatively would recommend raising <code>tx.max_num_args</code> to 1000
|-
| 950901
| 942130
| SQL Injection Attack: SQL Tautology Detected.
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: legitimate sentences could match. Walter's 2.2.x experience: many FP in natural text however the rule seems to have merit
|-
| 950907
| 932100
| System Command Injection
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: false positives possible because of @pmf, file with short cmds. Maybe we should split the data file #discuss
|-
| 950916
| 921170
| HTTP Header Injection Attack via payload (CR/LF detected)
| candidate
| Franziska's candidate: change action from pass to block and move to paranoia mode.
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| candidate
| Franziska's candidate: false positives possible because of @pmf, file with short function names. Maybe we should split the data file #discuss
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| candidate
| Franziska's candidate: false positives possible because of @pmf, file with short configuration directives.
|-
| 959070
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959071
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959072
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959073
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: very frequently false positives
|-
| 960015
| 920300
| Request Missing an Accept Header
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: many FP (PHP SoapClient)
|-
| 960017
| 920350
| Host header is a numeric IP address
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: low FP (almost all are mass scans) #discuss
|-
| 960024
| gone
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| candidate
| Christian's 2.2.X experience: very frequently false positives
|-
| 960035
| 920440
| URL file extension is restricted by policy
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 970901
| 950100
| The Application Returned a 500-Level Status Code
| candidate
| Franziska's candidate: too strict, too generic, no data leakage happened so far. Walter: it's useful however to prevent attacker from distinguishing between a failed SQLi attempt (403 blocked by ModSec) or a query error due to vulnerable app (500 from application) #discuss
|-
| 973300
| gone
| Possible XSS Attack Detected - HTML Tag Handler
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973332
| gone
| IE XSS Filters - Attack Detected.
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973333
| gone
| IE XSS Filters - Attack Detected.
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981172
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981173
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981231
| gone
| SQL Comment Sequence Detected.
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP but rule seems useful
|-
| 981240
| 942300
| Detects MySQL comments, conditions and ch(a)r injections
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981242
| 942330
| Detects classic SQL injection probings 1/2
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: one quote character already matches?? Walter: low FP, but seen in cookies injected by some US ISPs;
|-
| 981243
| 942370
| Detects classic SQL injection probings 2/2
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: medium FP
|-
| 981244
| 942180
| Detects basic SQL authentication bypass attempts 1/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP, #discuss
|-
| 981245
| 942260
| Detects basic SQL authentication bypass attempts 2/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981246
| 942340
| Detects basic SQL authentication bypass attempts 3/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981248
| 942210
| Detects chained SQL injection attempts 1/2
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: low FP, #discuss
|-
| 981249
| 942310
| Detects chained SQL injection attempts 2/2
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP but seen in very specific situations
|-
| 981257
| 942200
| Detects MySQL comment-/space-obfuscated injections and backtick termination
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981260
| gone
| SQL Hex Encoding Identified
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP in long random strings
|-
| 981318
| 942110
| SQL Injection Attack: Common Injection Testing Detected
| candidate
| Franziska's candidate: one quote character at the beginning/end really not legitimate? Walter 2.2.X candidate: frequent FP
|-
| 981319
| 942120
| SQL Injection Attack: SQL Operator Detected
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: very short operators or strings already match. Walter: some FP (WooCommerce)
|-
| 981049
| 912100
| Potential Denial of Service (DoS) Attack from ... - # of Request Bursts: ...
| cloning-candidate
| limit currently at 2; could be set to 1; now, the attacker has to exceed dos_counter_threshold twice. With full reset of counter after first hit. Source: 2.2.X->experimental rules
|-
| 960901
| 920270
| Invalid character in request
| cloning-candidate
| @validateByteRange 1-255; there was a conditional rule with stricter byterange 32-126 in 2.2.X as well
|-
| 970003
| 951100
| none
| cloning-candidate
| rule is only setting tx.sql_error_match. Could also trigger score directly
|-
| 950907
| 932100
| Remote Command Execution (RCE) Attempt
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958980
| 933130
| PHP Injection Attack: Variables Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 950001
| 942150
| SQL Injection Attack
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|}

===Rules from 2.2.X, missing in 3.0.0-rc1===

It looks as if only the base_rules made it into 3.0.0. In fact there are a few rule ids know from the optional and experimental rule folders in 2.2.X, but it is more likely, these are new 3.0.0 rules reusing old rule ids as the rules (regexes and msg) do not match at all.

When trying to generate the list below, be aware that the rule ids have been renumbered between 3.0.0-dev and 3.0.0-rc1. IdNumbering.csv in your friend.

====Base rules====

{|- class="wikitable"
|'''2.2.X rule id'''
|         '''msg'''       
|    '''remarks'''   
|-
| 950002
| System Command Access
|
|-
| 950006
| System Command Injection
|
|-
| 950007
| Blind SQL Injection Attack
|
|-
| 950008
| Injection of Undocumented ColdFusion Tags
|
|-
| 950010
| LDAP Injection Attack
|
|-
| 950011
| SSI injection Attack
|
|-
| 950018
| Universal PDF XSS URL Detected.
| Walter: medium FP (foo.pdf#javascript)
|-
| 950019
| Email Injection Attack
|
|-
| 950908
| SQL Injection Attack.
|
|-
| 950921
| Backdoor access
|
|-
| 950922
| Backdoor access
|
|-
| 958000
| Cross-site Scripting (XSS) Attack
|
|-
| 958001
| Cross-site Scripting (XSS) Attack
|
|-
| 958002
| Cross-site Scripting (XSS) Attack
|
|-
| 958003
| Cross-site Scripting (XSS) Attack
|
|-
| 958004
| Cross-site Scripting (XSS) Attack
|
|-
| 958005
| Cross-site Scripting (XSS) Attack
|
|-
| 958006
| Cross-site Scripting (XSS) Attack
|
|-
| 958007
| Cross-site Scripting (XSS) Attack
|
|-
| 958008
| Cross-site Scripting (XSS) Attack
|
|-
| 958009
| Cross-site Scripting (XSS) Attack
|
|-
| 958010
| Cross-site Scripting (XSS) Attack
|
|-
| 958011
| Cross-site Scripting (XSS) Attack
|
|-
| 958012
| Cross-site Scripting (XSS) Attack
|
|-
| 958013
| Cross-site Scripting (XSS) Attack
|
|-
| 958016
| Cross-site Scripting (XSS) Attack
|
|-
| 958017
| Cross-site Scripting (XSS) Attack
|
|-
| 958018
| Cross-site Scripting (XSS) Attack
|
|-
| 958019
| Cross-site Scripting (XSS) Attack
|
|-
| 958020
| Cross-site Scripting (XSS) Attack
|
|-
| 958022
| Cross-site Scripting (XSS) Attack
|
|-
| 958023
| Cross-site Scripting (XSS) Attack
|
|-
| 958024
| Cross-site Scripting (XSS) Attack
|
|-
| 958025
| Cross-site Scripting (XSS) Attack
|
|-
| 958026
| Cross-site Scripting (XSS) Attack
|
|-
| 958027
| Cross-site Scripting (XSS) Attack
|
|-
| 958028
| Cross-site Scripting (XSS) Attack
|
|-
| 958030
| Cross-site Scripting (XSS) Attack
|
|-
| 958031
| Cross-site Scripting (XSS) Attack
|
|-
| 958032
| Cross-site Scripting (XSS) Attack
|
|-
| 958033
| Cross-site Scripting (XSS) Attack
|
|-
| 958034
| Cross-site Scripting (XSS) Attack
|
|-
| 958036
| Cross-site Scripting (XSS) Attack
|
|-
| 958037
| Cross-site Scripting (XSS) Attack
|
|-
| 958038
| Cross-site Scripting (XSS) Attack
|
|-
| 958039
| Cross-site Scripting (XSS) Attack
|
|-
| 958040
| Cross-site Scripting (XSS) Attack
|
|-
| 958041
| Cross-site Scripting (XSS) Attack
|
|-
| 958045
| Cross-site Scripting (XSS) Attack
|
|-
| 958046
| Cross-site Scripting (XSS) Attack
|
|-
| 958047
| Cross-site Scripting (XSS) Attack
|
|-
| 958049
| Cross-site Scripting (XSS) Attack
|
|-
| 958051
| Cross-site Scripting (XSS) Attack
|
|-
| 958052
| Cross-site Scripting (XSS) Attack
|
|-
| 958054
| Cross-site Scripting (XSS) Attack
|
|-
| 958056
| Cross-site Scripting (XSS) Attack
|
|-
| 958057
| Cross-site Scripting (XSS) Attack
|
|-
| 958059
| Cross-site Scripting (XSS) Attack
|
|-
| 958291
| Range: field exists and begins with 0.
| Walter: high FP (Chrome PDF viewer) and not useful.
|-
| 958404
| Cross-site Scripting (XSS) Attack
|
|-
| 958405
| Cross-site Scripting (XSS) Attack
|
|-
| 958406
| Cross-site Scripting (XSS) Attack
|
|-
| 958407
| Cross-site Scripting (XSS) Attack
|
|-
| 958408
| Cross-site Scripting (XSS) Attack
|
|-
| 958409
| Cross-site Scripting (XSS) Attack
|
|-
| 958410
| Cross-site Scripting (XSS) Attack
|
|-
| 958411
| Cross-site Scripting (XSS) Attack
|
|-
| 958412
| Cross-site Scripting (XSS) Attack
|
|-
| 958413
| Cross-site Scripting (XSS) Attack
|
|-
| 958414
| Cross-site Scripting (XSS) Attack
|
|-
| 958415
| Cross-site Scripting (XSS) Attack
|
|-
| 958416
| Cross-site Scripting (XSS) Attack
|
|-
| 958417
| Cross-site Scripting (XSS) Attack
|
|-
| 958418
| Cross-site Scripting (XSS) Attack
|
|-
| 958419
| Cross-site Scripting (XSS) Attack
|
|-
| 958420
| Cross-site Scripting (XSS) Attack
|
|-
| 958421
| Cross-site Scripting (XSS) Attack
|
|-
| 958422
| Cross-site Scripting (XSS) Attack
|
|-
| 958423
| Cross-site Scripting (XSS) Attack
|
|-
| 958976
| PHP Injection Attack
|
|-
| 959070
| SQL Injection Attack
|
|-
| 959071
| SQL Injection Attack
|
|-
| 959072
| SQL Injection Attack
|
|-
| 959073
| SQL Injection Attack
|
|-
| 960014
| Proxy access attempt
|
|-
| 960018
| Invalid character in request
|
|-
| 960020
| Pragma Header requires Cache-Control Header for HTTP/1.1 requests.
| Walter: some FP
|-
| 960022
| UNKNOWN
|
|-
| 960024
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| Walter: many FP
|-
| 960902
| UNKNOWN
|
|-
| 960913
| Invalid request
|
|-
| 970007
| Zope Information Leakage
|
|-
| 970008
| Cold Fusion Information Leakage
|
|-
| 970010
| ISA server existence revealed
|
|-
| 970011
| File or Directory Names Leakage
|
|-
| 970012
| Microsoft Office document properties leakage
|
|-
| 970016
| Cold Fusion source code leakage
| Walter: some FP but not using this language
|-
| 970018
| IIS installed in default location
|
|-
| 970021
| WebLogic information disclosure
|
|-
| 970903
| ASP/JSP source code leakage
| Walter: some FP but not using this language
|-
| 973300
| Possible XSS Attack Detected - HTML Tag Handler
|
|-
| 973301
| XSS Attack Detected
|
|-
| 973302
| XSS Attack Detected
|
|-
| 973303
| XSS Attack Detected
|
|-
| 973304
| XSS Attack Detected
|
|-
| 973305
| XSS Attack Detected
|
|-
| 973306
| XSS Attack Detected
|
|-
| 973307
| XSS Attack Detected
|
|-
| 973308
| XSS Attack Detected
|
|-
| 973309
| XSS Attack Detected
|
|-
| 973310
| XSS Attack Detected
|
|-
| 973311
| XSS Attack Detected
|
|-
| 973312
| XSS Attack Detected
|
|-
| 973313
| XSS Attack Detected
|
|-
| 973314
| XSS Attack Detected
|
|-
| 973316
| IE XSS Filters - Attack Detected.
|
|-
| 973325
| IE XSS Filters - Attack Detected.
|
|-
| 973327
| IE XSS Filters - Attack Detected.
|
|-
| 973328
| IE XSS Filters - Attack Detected.
|
|-
| 973329
| IE XSS Filters - Attack Detected.
|
|-
| 973330
| IE XSS Filters - Attack Detected.
|
|-
| 973331
| IE XSS Filters - Attack Detected.
|
|-
| 973332
| IE XSS Filters - Attack Detected.
|
|-
| 973333
| IE XSS Filters - Attack Detected.
|
|-
| 973334
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973335
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973347
| IE XSS Filters - Attack Detected.
|
|-
| 981000
| Possibly malicious iframe tag in output
| Walter: medium FP
|-
| 981001
| Possibly malicious iframe tag in output
| Walter: medium FP (iframes with display:none)
|-
| 981003
| Malicious iframe+javascript tag in output
|
|-
| 981004
| Potential Obfuscated Javascript in Output - Excessive fromCharCode
| Walter: many FP (Wordpress 4.4 inlined emoji javascripts)
|-
| 981005
| Potential Obfuscated Javascript in Output - Eval+Unescape
|
|-
| 981006
| Potential Obfuscated Javascript in Output - Unescape
|
|-
| 981007
| Potential Obfuscated Javascript in Output - Heap Spray
|
|-
| 981018
| UNKNOWN
|
|-
| 981022
| UNKNOWN
|
|-
| 981133
| UNKNOWN
|
|-
| 981134
| UNKNOWN
|
|-
| 981136
| UNKNOWN
|
|-
| 981172
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981173
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981177
| UNKNOWN
|
|-
| 981178
| UNKNOWN
|
|-
| 981231
| SQL Comment Sequence Detected.
|
|-
| 981260
| SQL Hex Encoding Identified
|
|-
| 981300
| UNKNOWN
|
|-
| 981301
| UNKNOWN
|
|-
| 981302
| UNKNOWN
|
|-
| 981303
| UNKNOWN
|
|-
| 981304
| UNKNOWN
|
|-
| 981305
| UNKNOWN
|
|-
| 981306
| UNKNOWN
|
|-
| 981307
| UNKNOWN
|
|-
| 981308
| UNKNOWN
|
|-
| 981309
| UNKNOWN
|
|-
| 981310
| UNKNOWN
|
|-
| 981311
| UNKNOWN
|
|-
| 981312
| UNKNOWN
|
|-
| 981313
| UNKNOWN
|
|-
| 981314
| UNKNOWN
|
|-
| 981315
| UNKNOWN
|
|-
| 981316
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 981317
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 990012
| Rogue web site crawler
|
|}

====Optional, experimental, slr rules====

{|- class="wikitable"
| 900048
| Identifies Reflected XSS (optional_rules)
| Walter: could be very interesting candidate but have not used it in production
|-
| 920021, 920022, 920023
| Possible Credit Card Track 1 Data Leakage. (experimental_rules)
| Walter: could be interesting candidates but have not used it in production
|-
| 981080, 920020, 920006
| Detect CC# in output and block transaction (optional_rules)
| Walter: could be interesting candidate but have not used it in production
|-
| 900047, 900048, 981180, 981182
| Identifies Stored XSS (optional_rules)
| Walter: could be somewhat interesting candidate but have not used it in production
|}

=== Stricter siblings for existing rules ===

Stricter Siblings are rules that are present in the CRS but could be accompanied by a stricter clone in Paranoia Mode. Adjustments can differ from rule to rule but include higher anomaly ratings or stricter triggers (e.g. regex counters). To prevent masses of false positives, rules can come with additional filters (chained rules) for common use-cases. These can either be included into Paranoia Mode or simply serve as a recommendation.

Note: To avoid a cluttered project main-page, rule proposals are documented in their respective sub-page. When adding new proposals, make sure adding the rules original (2.2.x) ID, a quick description of what changes were made, and, if applicable, which additional filters were added.

'''Possible siblings:'''

[[OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981173|981173 : SQL Injection Character Anomaly Usage]]

==Project Status==

===Project Status January 30, 2016===

<code>
Hello everybody,

It's time to do a status report of our little core rules project.

I am including Franziska Bühler and Walter Hop in this status mail.
Both are experienced ModSec sysadmins. Franziska contributed to this
first stage, Walter told me he does not have much time, but he
was interested in participating at least in the discussions about
the rules.

All in all, this is taking more time than anticipated. But we
have also done things very throughly than I thought. Which is
generally a good thing.

Done so far:
* Manuel has provided us with a list of rules removed between 2.2.x and 3.0.0rc1
* I have assembled a list of rules known to trigger false positives frequently in the 2.2.x ruleset, they are thus candidates for the paranoia mode
* Franziska has looked through the 3.0.0rc1 rules and identified a set of rules which look like good candidates.
* Noël has sharpened his skills by re-writing 981173 in a way that ignores innocent UUIDs. In my eyes, he found a very elegant solution.
* With the development of 3.0.0-dev, Chaim unfortunately reused rule ids formerly used with optional and experimental rules. Now this has all been renumbered. I have pointed this out in the mailinglist and had private contact with Chaim where he confirmed the fact - and promised to resolve the issue.

We have not really looked at the disappeared rules and identified those
who should be brought back and have not been picked so far. This
includes the 2.2.X base_rules, but also the optional, experimental,
and huge stock of slr rules. Of these three groups, only the
anti-ddos rules have made it into 3.0.0. There are probably more
interesting candidates.

If somebody among you wants to look into these, then that would be
welcome, but I do not want to have these tasks delay us any further.
After all, Old rules can also be brought back in subsequent releases
if we see a benefit.

So the next real tasks are:
* Looking through the list of candidates and cloning-candidates (the latter are those rules we might accompany with a clone with stricter limits in paranoia mode).
* Defining the exact working of the paranoia mode.

Please sit down and look through the rule lists in the wiki and add
remarks with regards to the candidate rules. If you think a rule
should be included, if you think an individual rule should not be
included etc.

I am also going to invite the people on the mailinglist to take look at
the rules as well and add their remarks in the wiki (or respond via mail).
This should allow us to nail down the list of rules which will
actually be included in the paranoia mode.

As for defining the exact working of the paranoia mode, I guess I
need to write down the idea I have in mind and see if it makes sense to
you.

Thank you for contributing so far! It is a lot of fun to work in a team!

Christian

</code>

OWASP ModSec CRS Paranoia Mode

2016-02-03T14:39:40Z

Zino: /* 981173 : SQL Injection Character Anomaly Usage */

==Abstract==

This is a page about the development of a paranoia mode aka bringing back the rules that used to yield a high number of false positives. This little project is aimed at inclusion into the 3.0.0 release of the OWASP ModSecurity Core Rules, where some rules have been removed in order to reduce the number of false positives with vanilla installations.

FIXME: Detailed description

''Back to the [https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project OWASP ModSecurity Core Rules Set].''

==Sub-Project Infos==

* '''Status''': active (January 2016)
* '''Schedule''': Pull request in <strike>January</strike>February 2016
* '''Who''': Christian Folini (dune73), Noël Zindel (zino), Franziska Bühler (franziskabuehler), Manuel Leos (Spartan), Walter Hop (lifeforms)
* '''Documentation''': Here on the [https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode OWASP Wiki]
* '''Discussion / Archive''': <tt>owasp-modsecurity-core-rule-set@lists.owasp.org</tt> / archive: http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/
* '''Github Link''': https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc1
* '''Final Pull Request''': FIXME

==Tasks==

===Open Tasks===

Please define state as follows: ''new'', ''assigned'', ''waiting'', ''closed''. When a task it is closed, it is moved to the seperate closed tasks table below.

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Nail down final list of rules which should be moved / recreated into the paranoia mode
| group
| assigned
|-
| Write new stricter siblings for existing rules
| Noël
| assigned
|-
| Define ID-space for strict siblings
| n.n.
| new
|-
| Sort out mechanics of the paranoia mode
| Christian
| new
|-
| Define exact syntax of paranoia mode setup
| Christian
| waiting
|-
| Sort out name: Is "Paranoia Mode" really the right term?
| Christian
| waiting
|-
| Write pull request
| n.n.
| new
|-
| Submit pull request
| n.n.
| new
|-
| Draw flowchart
| n.n.
| new
|-
| Write documentation
| n.n.
| new
|}

===Closed Tasks===

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Assemble list of rules, which triggered false positives in 2.2.X frequently
| Christian
| closed
|-
| Assemble list of 2.2.x rules, which have disappeared from 3.0.0-rc1
| Spartan
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be accompanied with stricter siblings in paranoia mode (same idea of the rule, but harder limit etc.)
| Christian
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be moved to the paranoia mode
| Franziska
| closed
|-
| Assemble list of disappeared / missing 2.2.X base_rules, which should be brought back
| group
| closed
|-
| Assemble list of 2.2.X optional and experimental rules, which should be brought back
| group
| closed (could be repeated more throughly)
|}

==Rules==

===Paranoia Mode Candidates===

The 3.0.0-rc1 has all rules renumbered. Existing numbering was fairly crazy and the new numbering follows the numbering scheme of the rules files (-> 9<2-digit-rulefile><3-digit-id>)
A mapping table exists [[https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/id_renumbering/IdNumbering.csv IdNumbering.csv]]
We need to make sure, we do not mess things up, so let's add both IDs to the table, the old one and the new one.

Please set status as follows : ''candidate'', ''cloning-candidate'', ''unsure'', ''dropped''.
* 'cloning-candidates' are rules, that could be cloned into an even stricter variant with a stricter limit in a higher paranoia setting.
* If dropped, please provide reasoning in the remarks.

{|- class="wikitable"
|'''RuleID 2.2.x'''
|'''RuleID 3.0.0-rc1'''
|         '''msg'''       
|    '''Status'''   
|    '''Remarks'''   
|-
| 900050
| 910100
| Client IP is from a HIGH Risk Country Location.
| unsure
| Franziska's candidate: Do we want to exlude countries? But then easy to configure.
|-
| 950001
| 942150
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: @pmf file with very short function names, could match frequently.
|-
| 950109
| 920230
| Multiple URL Encoding Detected
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 950120
| 931130
| Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
| candidate
| Walter's 2.2.X candidate: many FP; Chrstian: hardly any FPs, #discuss
|-
| 960335
| 920380
| Too many arguments in request
| candidate
| Walter's 2.2.X candidate: some FP (phpMyAdmin, large forms), alternatively would recommend raising <code>tx.max_num_args</code> to 1000
|-
| 950901
| 942130
| SQL Injection Attack: SQL Tautology Detected.
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: legitimate sentences could match. Walter's 2.2.x experience: many FP in natural text however the rule seems to have merit
|-
| 950907
| 932100
| System Command Injection
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: false positives possible because of @pmf, file with short cmds. Maybe we should split the data file #discuss
|-
| 950916
| 921170
| HTTP Header Injection Attack via payload (CR/LF detected)
| candidate
| Franziska's candidate: change action from pass to block and move to paranoia mode.
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| candidate
| Franziska's candidate: false positives possible because of @pmf, file with short function names. Maybe we should split the data file #discuss
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| candidate
| Franziska's candidate: false positives possible because of @pmf, file with short configuration directives.
|-
| 959070
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959071
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959072
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959073
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: very frequently false positives
|-
| 960015
| 920300
| Request Missing an Accept Header
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: many FP (PHP SoapClient)
|-
| 960017
| 920350
| Host header is a numeric IP address
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: low FP (almost all are mass scans) #discuss
|-
| 960024
| gone
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| candidate
| Christian's 2.2.X experience: very frequently false positives
|-
| 960035
| 920440
| URL file extension is restricted by policy
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 970901
| 950100
| The Application Returned a 500-Level Status Code
| candidate
| Franziska's candidate: too strict, too generic, no data leakage happened so far. Walter: it's useful however to prevent attacker from distinguishing between a failed SQLi attempt (403 blocked by ModSec) or a query error due to vulnerable app (500 from application) #discuss
|-
| 973300
| gone
| Possible XSS Attack Detected - HTML Tag Handler
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973332
| gone
| IE XSS Filters - Attack Detected.
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973333
| gone
| IE XSS Filters - Attack Detected.
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981172
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981173
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981231
| gone
| SQL Comment Sequence Detected.
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP but rule seems useful
|-
| 981240
| 942300
| Detects MySQL comments, conditions and ch(a)r injections
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981242
| 942330
| Detects classic SQL injection probings 1/2
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: one quote character already matches?? Walter: low FP, but seen in cookies injected by some US ISPs;
|-
| 981243
| 942370
| Detects classic SQL injection probings 2/2
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: medium FP
|-
| 981244
| 942180
| Detects basic SQL authentication bypass attempts 1/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP, #discuss
|-
| 981245
| 942260
| Detects basic SQL authentication bypass attempts 2/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981246
| 942340
| Detects basic SQL authentication bypass attempts 3/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981248
| 942210
| Detects chained SQL injection attempts 1/2
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: low FP, #discuss
|-
| 981249
| 942310
| Detects chained SQL injection attempts 2/2
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP but seen in very specific situations
|-
| 981257
| 942200
| Detects MySQL comment-/space-obfuscated injections and backtick termination
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981260
| gone
| SQL Hex Encoding Identified
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP in long random strings
|-
| 981318
| 942110
| SQL Injection Attack: Common Injection Testing Detected
| candidate
| Franziska's candidate: one quote character at the beginning/end really not legitimate? Walter 2.2.X candidate: frequent FP
|-
| 981319
| 942120
| SQL Injection Attack: SQL Operator Detected
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: very short operators or strings already match. Walter: some FP (WooCommerce)
|-
| 981049
| 912100
| Potential Denial of Service (DoS) Attack from ... - # of Request Bursts: ...
| cloning-candidate
| limit currently at 2; could be set to 1; now, the attacker has to exceed dos_counter_threshold twice. With full reset of counter after first hit. Source: 2.2.X->experimental rules
|-
| 960901
| 920270
| Invalid character in request
| cloning-candidate
| @validateByteRange 1-255; there was a conditional rule with stricter byterange 32-126 in 2.2.X as well
|-
| 970003
| 951100
| none
| cloning-candidate
| rule is only setting tx.sql_error_match. Could also trigger score directly
|-
| 950907
| 932100
| Remote Command Execution (RCE) Attempt
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958980
| 933130
| PHP Injection Attack: Variables Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 950001
| 942150
| SQL Injection Attack
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|}

===Rules from 2.2.X, missing in 3.0.0-rc1===

It looks as if only the base_rules made it into 3.0.0. In fact there are a few rule ids know from the optional and experimental rule folders in 2.2.X, but it is more likely, these are new 3.0.0 rules reusing old rule ids as the rules (regexes and msg) do not match at all.

When trying to generate the list below, be aware that the rule ids have been renumbered between 3.0.0-dev and 3.0.0-rc1. IdNumbering.csv in your friend.

====Base rules====

{|- class="wikitable"
|'''2.2.X rule id'''
|         '''msg'''       
|    '''remarks'''   
|-
| 950002
| System Command Access
|
|-
| 950006
| System Command Injection
|
|-
| 950007
| Blind SQL Injection Attack
|
|-
| 950008
| Injection of Undocumented ColdFusion Tags
|
|-
| 950010
| LDAP Injection Attack
|
|-
| 950011
| SSI injection Attack
|
|-
| 950018
| Universal PDF XSS URL Detected.
| Walter: medium FP (foo.pdf#javascript)
|-
| 950019
| Email Injection Attack
|
|-
| 950908
| SQL Injection Attack.
|
|-
| 950921
| Backdoor access
|
|-
| 950922
| Backdoor access
|
|-
| 958000
| Cross-site Scripting (XSS) Attack
|
|-
| 958001
| Cross-site Scripting (XSS) Attack
|
|-
| 958002
| Cross-site Scripting (XSS) Attack
|
|-
| 958003
| Cross-site Scripting (XSS) Attack
|
|-
| 958004
| Cross-site Scripting (XSS) Attack
|
|-
| 958005
| Cross-site Scripting (XSS) Attack
|
|-
| 958006
| Cross-site Scripting (XSS) Attack
|
|-
| 958007
| Cross-site Scripting (XSS) Attack
|
|-
| 958008
| Cross-site Scripting (XSS) Attack
|
|-
| 958009
| Cross-site Scripting (XSS) Attack
|
|-
| 958010
| Cross-site Scripting (XSS) Attack
|
|-
| 958011
| Cross-site Scripting (XSS) Attack
|
|-
| 958012
| Cross-site Scripting (XSS) Attack
|
|-
| 958013
| Cross-site Scripting (XSS) Attack
|
|-
| 958016
| Cross-site Scripting (XSS) Attack
|
|-
| 958017
| Cross-site Scripting (XSS) Attack
|
|-
| 958018
| Cross-site Scripting (XSS) Attack
|
|-
| 958019
| Cross-site Scripting (XSS) Attack
|
|-
| 958020
| Cross-site Scripting (XSS) Attack
|
|-
| 958022
| Cross-site Scripting (XSS) Attack
|
|-
| 958023
| Cross-site Scripting (XSS) Attack
|
|-
| 958024
| Cross-site Scripting (XSS) Attack
|
|-
| 958025
| Cross-site Scripting (XSS) Attack
|
|-
| 958026
| Cross-site Scripting (XSS) Attack
|
|-
| 958027
| Cross-site Scripting (XSS) Attack
|
|-
| 958028
| Cross-site Scripting (XSS) Attack
|
|-
| 958030
| Cross-site Scripting (XSS) Attack
|
|-
| 958031
| Cross-site Scripting (XSS) Attack
|
|-
| 958032
| Cross-site Scripting (XSS) Attack
|
|-
| 958033
| Cross-site Scripting (XSS) Attack
|
|-
| 958034
| Cross-site Scripting (XSS) Attack
|
|-
| 958036
| Cross-site Scripting (XSS) Attack
|
|-
| 958037
| Cross-site Scripting (XSS) Attack
|
|-
| 958038
| Cross-site Scripting (XSS) Attack
|
|-
| 958039
| Cross-site Scripting (XSS) Attack
|
|-
| 958040
| Cross-site Scripting (XSS) Attack
|
|-
| 958041
| Cross-site Scripting (XSS) Attack
|
|-
| 958045
| Cross-site Scripting (XSS) Attack
|
|-
| 958046
| Cross-site Scripting (XSS) Attack
|
|-
| 958047
| Cross-site Scripting (XSS) Attack
|
|-
| 958049
| Cross-site Scripting (XSS) Attack
|
|-
| 958051
| Cross-site Scripting (XSS) Attack
|
|-
| 958052
| Cross-site Scripting (XSS) Attack
|
|-
| 958054
| Cross-site Scripting (XSS) Attack
|
|-
| 958056
| Cross-site Scripting (XSS) Attack
|
|-
| 958057
| Cross-site Scripting (XSS) Attack
|
|-
| 958059
| Cross-site Scripting (XSS) Attack
|
|-
| 958291
| Range: field exists and begins with 0.
| Walter: high FP (Chrome PDF viewer) and not useful.
|-
| 958404
| Cross-site Scripting (XSS) Attack
|
|-
| 958405
| Cross-site Scripting (XSS) Attack
|
|-
| 958406
| Cross-site Scripting (XSS) Attack
|
|-
| 958407
| Cross-site Scripting (XSS) Attack
|
|-
| 958408
| Cross-site Scripting (XSS) Attack
|
|-
| 958409
| Cross-site Scripting (XSS) Attack
|
|-
| 958410
| Cross-site Scripting (XSS) Attack
|
|-
| 958411
| Cross-site Scripting (XSS) Attack
|
|-
| 958412
| Cross-site Scripting (XSS) Attack
|
|-
| 958413
| Cross-site Scripting (XSS) Attack
|
|-
| 958414
| Cross-site Scripting (XSS) Attack
|
|-
| 958415
| Cross-site Scripting (XSS) Attack
|
|-
| 958416
| Cross-site Scripting (XSS) Attack
|
|-
| 958417
| Cross-site Scripting (XSS) Attack
|
|-
| 958418
| Cross-site Scripting (XSS) Attack
|
|-
| 958419
| Cross-site Scripting (XSS) Attack
|
|-
| 958420
| Cross-site Scripting (XSS) Attack
|
|-
| 958421
| Cross-site Scripting (XSS) Attack
|
|-
| 958422
| Cross-site Scripting (XSS) Attack
|
|-
| 958423
| Cross-site Scripting (XSS) Attack
|
|-
| 958976
| PHP Injection Attack
|
|-
| 959070
| SQL Injection Attack
|
|-
| 959071
| SQL Injection Attack
|
|-
| 959072
| SQL Injection Attack
|
|-
| 959073
| SQL Injection Attack
|
|-
| 960014
| Proxy access attempt
|
|-
| 960018
| Invalid character in request
|
|-
| 960020
| Pragma Header requires Cache-Control Header for HTTP/1.1 requests.
| Walter: some FP
|-
| 960022
| UNKNOWN
|
|-
| 960024
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| Walter: many FP
|-
| 960902
| UNKNOWN
|
|-
| 960913
| Invalid request
|
|-
| 970007
| Zope Information Leakage
|
|-
| 970008
| Cold Fusion Information Leakage
|
|-
| 970010
| ISA server existence revealed
|
|-
| 970011
| File or Directory Names Leakage
|
|-
| 970012
| Microsoft Office document properties leakage
|
|-
| 970016
| Cold Fusion source code leakage
| Walter: some FP but not using this language
|-
| 970018
| IIS installed in default location
|
|-
| 970021
| WebLogic information disclosure
|
|-
| 970903
| ASP/JSP source code leakage
| Walter: some FP but not using this language
|-
| 973300
| Possible XSS Attack Detected - HTML Tag Handler
|
|-
| 973301
| XSS Attack Detected
|
|-
| 973302
| XSS Attack Detected
|
|-
| 973303
| XSS Attack Detected
|
|-
| 973304
| XSS Attack Detected
|
|-
| 973305
| XSS Attack Detected
|
|-
| 973306
| XSS Attack Detected
|
|-
| 973307
| XSS Attack Detected
|
|-
| 973308
| XSS Attack Detected
|
|-
| 973309
| XSS Attack Detected
|
|-
| 973310
| XSS Attack Detected
|
|-
| 973311
| XSS Attack Detected
|
|-
| 973312
| XSS Attack Detected
|
|-
| 973313
| XSS Attack Detected
|
|-
| 973314
| XSS Attack Detected
|
|-
| 973316
| IE XSS Filters - Attack Detected.
|
|-
| 973325
| IE XSS Filters - Attack Detected.
|
|-
| 973327
| IE XSS Filters - Attack Detected.
|
|-
| 973328
| IE XSS Filters - Attack Detected.
|
|-
| 973329
| IE XSS Filters - Attack Detected.
|
|-
| 973330
| IE XSS Filters - Attack Detected.
|
|-
| 973331
| IE XSS Filters - Attack Detected.
|
|-
| 973332
| IE XSS Filters - Attack Detected.
|
|-
| 973333
| IE XSS Filters - Attack Detected.
|
|-
| 973334
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973335
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973347
| IE XSS Filters - Attack Detected.
|
|-
| 981000
| Possibly malicious iframe tag in output
| Walter: medium FP
|-
| 981001
| Possibly malicious iframe tag in output
| Walter: medium FP (iframes with display:none)
|-
| 981003
| Malicious iframe+javascript tag in output
|
|-
| 981004
| Potential Obfuscated Javascript in Output - Excessive fromCharCode
| Walter: many FP (Wordpress 4.4 inlined emoji javascripts)
|-
| 981005
| Potential Obfuscated Javascript in Output - Eval+Unescape
|
|-
| 981006
| Potential Obfuscated Javascript in Output - Unescape
|
|-
| 981007
| Potential Obfuscated Javascript in Output - Heap Spray
|
|-
| 981018
| UNKNOWN
|
|-
| 981022
| UNKNOWN
|
|-
| 981133
| UNKNOWN
|
|-
| 981134
| UNKNOWN
|
|-
| 981136
| UNKNOWN
|
|-
| 981172
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981173
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981177
| UNKNOWN
|
|-
| 981178
| UNKNOWN
|
|-
| 981231
| SQL Comment Sequence Detected.
|
|-
| 981260
| SQL Hex Encoding Identified
|
|-
| 981300
| UNKNOWN
|
|-
| 981301
| UNKNOWN
|
|-
| 981302
| UNKNOWN
|
|-
| 981303
| UNKNOWN
|
|-
| 981304
| UNKNOWN
|
|-
| 981305
| UNKNOWN
|
|-
| 981306
| UNKNOWN
|
|-
| 981307
| UNKNOWN
|
|-
| 981308
| UNKNOWN
|
|-
| 981309
| UNKNOWN
|
|-
| 981310
| UNKNOWN
|
|-
| 981311
| UNKNOWN
|
|-
| 981312
| UNKNOWN
|
|-
| 981313
| UNKNOWN
|
|-
| 981314
| UNKNOWN
|
|-
| 981315
| UNKNOWN
|
|-
| 981316
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 981317
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 990012
| Rogue web site crawler
|
|}

====Optional, experimental, slr rules====

{|- class="wikitable"
| 900048
| Identifies Reflected XSS (optional_rules)
| Walter: could be very interesting candidate but have not used it in production
|-
| 920021, 920022, 920023
| Possible Credit Card Track 1 Data Leakage. (experimental_rules)
| Walter: could be interesting candidates but have not used it in production
|-
| 981080, 920020, 920006
| Detect CC# in output and block transaction (optional_rules)
| Walter: could be interesting candidate but have not used it in production
|-
| 900047, 900048, 981180, 981182
| Identifies Stored XSS (optional_rules)
| Walter: could be somewhat interesting candidate but have not used it in production
|}

=== Stricter siblings for existing rules ===

The siblings detection rates and the anomaly ratings are drastically adjusted. To prevent loads of false positives, the rules can be filtered for common FP cases through chaining.

==== 981173 : SQL Injection Character Anomaly Usage ====

Original ID (2.2.X): 981173 
Change: Regex counter decreased to '1', anomaly score set to 'critical', paranoia tag added 
FP Filter: UUIDs 

#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.9 Rule 981173.
# The regex limit is set to {1,}, adjust to your own needs.
# For dealing with false positives caused by uuids, the rule is now chained.
# Also the anomaly score is now set to critical.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level 40',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"

==Project Status==

===Project Status January 30, 2016===

<code>
Hello everybody,

It's time to do a status report of our little core rules project.

I am including Franziska Bühler and Walter Hop in this status mail.
Both are experienced ModSec sysadmins. Franziska contributed to this
first stage, Walter told me he does not have much time, but he
was interested in participating at least in the discussions about
the rules.

All in all, this is taking more time than anticipated. But we
have also done things very throughly than I thought. Which is
generally a good thing.

Done so far:
* Manuel has provided us with a list of rules removed between 2.2.x and 3.0.0rc1
* I have assembled a list of rules known to trigger false positives frequently in the 2.2.x ruleset, they are thus candidates for the paranoia mode
* Franziska has looked through the 3.0.0rc1 rules and identified a set of rules which look like good candidates.
* Noël has sharpened his skills by re-writing 981173 in a way that ignores innocent UUIDs. In my eyes, he found a very elegant solution.
* With the development of 3.0.0-dev, Chaim unfortunately reused rule ids formerly used with optional and experimental rules. Now this has all been renumbered. I have pointed this out in the mailinglist and had private contact with Chaim where he confirmed the fact - and promised to resolve the issue.

We have not really looked at the disappeared rules and identified those
who should be brought back and have not been picked so far. This
includes the 2.2.X base_rules, but also the optional, experimental,
and huge stock of slr rules. Of these three groups, only the
anti-ddos rules have made it into 3.0.0. There are probably more
interesting candidates.

If somebody among you wants to look into these, then that would be
welcome, but I do not want to have these tasks delay us any further.
After all, Old rules can also be brought back in subsequent releases
if we see a benefit.

So the next real tasks are:
* Looking through the list of candidates and cloning-candidates (the latter are those rules we might accompany with a clone with stricter limits in paranoia mode).
* Defining the exact working of the paranoia mode.

Please sit down and look through the rule lists in the wiki and add
remarks with regards to the candidate rules. If you think a rule
should be included, if you think an individual rule should not be
included etc.

I am also going to invite the people on the mailinglist to take look at
the rules as well and add their remarks in the wiki (or respond via mail).
This should allow us to nail down the list of rules which will
actually be included in the paranoia mode.

As for defining the exact working of the paranoia mode, I guess I
need to write down the idea I have in mind and see if it makes sense to
you.

Thank you for contributing so far! It is a lot of fun to work in a team!

Christian

</code>

OWASP ModSec CRS Paranoia Mode

2016-02-03T12:26:35Z

Zino: /* 981173 : SQL Injection Character Anomaly Usage */

==Abstract==

This is a page about the development of a paranoia mode aka bringing back the rules that used to yield a high number of false positives. This little project is aimed at inclusion into the 3.0.0 release of the OWASP ModSecurity Core Rules, where some rules have been removed in order to reduce the number of false positives with vanilla installations.

FIXME: Detailed description

''Back to the [https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project OWASP ModSecurity Core Rules Set].''

==Sub-Project Infos==

* '''Status''': active (January 2016)
* '''Schedule''': Pull request in <strike>January</strike>February 2016
* '''Who''': Christian Folini (dune73), Noël Zindel (zino), Franziska Bühler (franziskabuehler), Manuel Leos (Spartan), Walter Hop (lifeforms)
* '''Documentation''': Here on the [https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode OWASP Wiki]
* '''Discussion / Archive''': <tt>owasp-modsecurity-core-rule-set@lists.owasp.org</tt> / archive: http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/
* '''Github Link''': https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc1
* '''Final Pull Request''': FIXME

==Tasks==

===Open Tasks===

Please define state as follows: ''new'', ''assigned'', ''waiting'', ''closed''. When a task it is closed, it is moved to the seperate closed tasks table below.

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Nail down final list of rules which should be moved / recreated into the paranoia mode
| group
| assigned
|-
| Write new stricter siblings for existing rules
| Noël
| assigned
|-
| Define ID-space for strict siblings
| n.n.
| new
|-
| Sort out mechanics of the paranoia mode
| Christian
| new
|-
| Define exact syntax of paranoia mode setup
| Christian
| waiting
|-
| Sort out name: Is "Paranoia Mode" really the right term?
| Christian
| waiting
|-
| Write pull request
| n.n.
| new
|-
| Submit pull request
| n.n.
| new
|-
| Draw flowchart
| n.n.
| new
|-
| Write documentation
| n.n.
| new
|}

===Closed Tasks===

{|- class="wikitable"
|'''Task'''
|         '''Who'''       
|    '''Status'''   
|-
| Assemble list of rules, which triggered false positives in 2.2.X frequently
| Christian
| closed
|-
| Assemble list of 2.2.x rules, which have disappeared from 3.0.0-rc1
| Spartan
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be accompanied with stricter siblings in paranoia mode (same idea of the rule, but harder limit etc.)
| Christian
| closed
|-
| Assemble list of 3.0.0-rc1 rules, which could be moved to the paranoia mode
| Franziska
| closed
|-
| Assemble list of disappeared / missing 2.2.X base_rules, which should be brought back
| group
| closed
|-
| Assemble list of 2.2.X optional and experimental rules, which should be brought back
| group
| closed (could be repeated more throughly)
|}

==Rules==

===Paranoia Mode Candidates===

The 3.0.0-rc1 has all rules renumbered. Existing numbering was fairly crazy and the new numbering follows the numbering scheme of the rules files (-> 9<2-digit-rulefile><3-digit-id>)
A mapping table exists [[https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/id_renumbering/IdNumbering.csv IdNumbering.csv]]
We need to make sure, we do not mess things up, so let's add both IDs to the table, the old one and the new one.

Please set status as follows : ''candidate'', ''cloning-candidate'', ''unsure'', ''dropped''.
* 'cloning-candidates' are rules, that could be cloned into an even stricter variant with a stricter limit in a higher paranoia setting.
* If dropped, please provide reasoning in the remarks.

{|- class="wikitable"
|'''RuleID 2.2.x'''
|'''RuleID 3.0.0-rc1'''
|         '''msg'''       
|    '''Status'''   
|    '''Remarks'''   
|-
| 900050
| 910100
| Client IP is from a HIGH Risk Country Location.
| unsure
| Franziska's candidate: Do we want to exlude countries? But then easy to configure.
|-
| 950001
| 942150
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: @pmf file with very short function names, could match frequently.
|-
| 950109
| 920230
| Multiple URL Encoding Detected
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 950120
| 931130
| Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
| candidate
| Walter's 2.2.X candidate: many FP; Chrstian: hardly any FPs, #discuss
|-
| 960335
| 920380
| Too many arguments in request
| candidate
| Walter's 2.2.X candidate: some FP (phpMyAdmin, large forms), alternatively would recommend raising <code>tx.max_num_args</code> to 1000
|-
| 950901
| 942130
| SQL Injection Attack: SQL Tautology Detected.
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: legitimate sentences could match. Walter's 2.2.x experience: many FP in natural text however the rule seems to have merit
|-
| 950907
| 932100
| System Command Injection
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: false positives possible because of @pmf, file with short cmds. Maybe we should split the data file #discuss
|-
| 950916
| 921170
| HTTP Header Injection Attack via payload (CR/LF detected)
| candidate
| Franziska's candidate: change action from pass to block and move to paranoia mode.
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| candidate
| Franziska's candidate: false positives possible because of @pmf, file with short function names. Maybe we should split the data file #discuss
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| candidate
| Franziska's candidate: false positives possible because of @pmf, file with short configuration directives.
|-
| 959070
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959071
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959072
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 959073
| gone
| SQL Injection Attack
| candidate
| Christian's 2.2.X experience: very frequently false positives
|-
| 960015
| 920300
| Request Missing an Accept Header
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: many FP (PHP SoapClient)
|-
| 960017
| 920350
| Host header is a numeric IP address
| candidate
| Christian's 2.2.X experience: very frequently false positives. Also Franziska's candidate: Not every legitimate client behaves correctly. Walter's experience: low FP (almost all are mass scans) #discuss
|-
| 960024
| gone
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| candidate
| Christian's 2.2.X experience: very frequently false positives
|-
| 960035
| 920440
| URL file extension is restricted by policy
| candidate
| Christian's 2.2.X experience: frequently false positives
|-
| 970901
| 950100
| The Application Returned a 500-Level Status Code
| candidate
| Franziska's candidate: too strict, too generic, no data leakage happened so far. Walter: it's useful however to prevent attacker from distinguishing between a failed SQLi attempt (403 blocked by ModSec) or a query error due to vulnerable app (500 from application) #discuss
|-
| 973300
| gone
| Possible XSS Attack Detected - HTML Tag Handler
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973332
| gone
| IE XSS Filters - Attack Detected.
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 973333
| gone
| IE XSS Filters - Attack Detected.
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981172
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981173
| gone
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: very high FP
|-
| 981231
| gone
| SQL Comment Sequence Detected.
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP but rule seems useful
|-
| 981240
| 942300
| Detects MySQL comments, conditions and ch(a)r injections
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP
|-
| 981242
| 942330
| Detects classic SQL injection probings 1/2
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: one quote character already matches?? Walter: low FP, but seen in cookies injected by some US ISPs;
|-
| 981243
| 942370
| Detects classic SQL injection probings 2/2
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: medium FP
|-
| 981244
| 942180
| Detects basic SQL authentication bypass attempts 1/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP, #discuss
|-
| 981245
| 942260
| Detects basic SQL authentication bypass attempts 2/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981246
| 942340
| Detects basic SQL authentication bypass attempts 3/3
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981248
| 942210
| Detects chained SQL injection attempts 1/2
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: low FP, #discuss
|-
| 981249
| 942310
| Detects chained SQL injection attempts 2/2
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: low FP but seen in very specific situations
|-
| 981257
| 942200
| Detects MySQL comment-/space-obfuscated injections and backtick termination
| candidate
| Christian's 2.2.X experience: frequently false positives. Walter: medium FP
|-
| 981260
| gone
| SQL Hex Encoding Identified
| candidate
| Christian's 2.2.X experience: very frequently false positives. Walter: high FP in long random strings
|-
| 981318
| 942110
| SQL Injection Attack: Common Injection Testing Detected
| candidate
| Franziska's candidate: one quote character at the beginning/end really not legitimate? Walter 2.2.X candidate: frequent FP
|-
| 981319
| 942120
| SQL Injection Attack: SQL Operator Detected
| candidate
| Christian's 2.2.X experience: frequently false positives. Also Franziska's candidate: very short operators or strings already match. Walter: some FP (WooCommerce)
|-
| 981049
| 912100
| Potential Denial of Service (DoS) Attack from ... - # of Request Bursts: ...
| cloning-candidate
| limit currently at 2; could be set to 1; now, the attacker has to exceed dos_counter_threshold twice. With full reset of counter after first hit. Source: 2.2.X->experimental rules
|-
| 960901
| 920270
| Invalid character in request
| cloning-candidate
| @validateByteRange 1-255; there was a conditional rule with stricter byterange 32-126 in 2.2.X as well
|-
| 970003
| 951100
| none
| cloning-candidate
| rule is only setting tx.sql_error_match. Could also trigger score directly
|-
| 950907
| 932100
| Remote Command Execution (RCE) Attempt
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958977
| 933110
| PHP Injection Attack: Function Name Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958979
| 933120
| PHP Injection Attack: Configuration Directive Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 958980
| 933130
| PHP Injection Attack: Variables Found
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|-
| 950001
| 942150
| SQL Injection Attack
| cloning-candidate
| rule is only triggering in combination with chained rule. Could trigger on its on
|}

===Rules from 2.2.X, missing in 3.0.0-rc1===

It looks as if only the base_rules made it into 3.0.0. In fact there are a few rule ids know from the optional and experimental rule folders in 2.2.X, but it is more likely, these are new 3.0.0 rules reusing old rule ids as the rules (regexes and msg) do not match at all.

When trying to generate the list below, be aware that the rule ids have been renumbered between 3.0.0-dev and 3.0.0-rc1. IdNumbering.csv in your friend.

====Base rules====

{|- class="wikitable"
|'''2.2.X rule id'''
|         '''msg'''       
|    '''remarks'''   
|-
| 950002
| System Command Access
|
|-
| 950006
| System Command Injection
|
|-
| 950007
| Blind SQL Injection Attack
|
|-
| 950008
| Injection of Undocumented ColdFusion Tags
|
|-
| 950010
| LDAP Injection Attack
|
|-
| 950011
| SSI injection Attack
|
|-
| 950018
| Universal PDF XSS URL Detected.
| Walter: medium FP (foo.pdf#javascript)
|-
| 950019
| Email Injection Attack
|
|-
| 950908
| SQL Injection Attack.
|
|-
| 950921
| Backdoor access
|
|-
| 950922
| Backdoor access
|
|-
| 958000
| Cross-site Scripting (XSS) Attack
|
|-
| 958001
| Cross-site Scripting (XSS) Attack
|
|-
| 958002
| Cross-site Scripting (XSS) Attack
|
|-
| 958003
| Cross-site Scripting (XSS) Attack
|
|-
| 958004
| Cross-site Scripting (XSS) Attack
|
|-
| 958005
| Cross-site Scripting (XSS) Attack
|
|-
| 958006
| Cross-site Scripting (XSS) Attack
|
|-
| 958007
| Cross-site Scripting (XSS) Attack
|
|-
| 958008
| Cross-site Scripting (XSS) Attack
|
|-
| 958009
| Cross-site Scripting (XSS) Attack
|
|-
| 958010
| Cross-site Scripting (XSS) Attack
|
|-
| 958011
| Cross-site Scripting (XSS) Attack
|
|-
| 958012
| Cross-site Scripting (XSS) Attack
|
|-
| 958013
| Cross-site Scripting (XSS) Attack
|
|-
| 958016
| Cross-site Scripting (XSS) Attack
|
|-
| 958017
| Cross-site Scripting (XSS) Attack
|
|-
| 958018
| Cross-site Scripting (XSS) Attack
|
|-
| 958019
| Cross-site Scripting (XSS) Attack
|
|-
| 958020
| Cross-site Scripting (XSS) Attack
|
|-
| 958022
| Cross-site Scripting (XSS) Attack
|
|-
| 958023
| Cross-site Scripting (XSS) Attack
|
|-
| 958024
| Cross-site Scripting (XSS) Attack
|
|-
| 958025
| Cross-site Scripting (XSS) Attack
|
|-
| 958026
| Cross-site Scripting (XSS) Attack
|
|-
| 958027
| Cross-site Scripting (XSS) Attack
|
|-
| 958028
| Cross-site Scripting (XSS) Attack
|
|-
| 958030
| Cross-site Scripting (XSS) Attack
|
|-
| 958031
| Cross-site Scripting (XSS) Attack
|
|-
| 958032
| Cross-site Scripting (XSS) Attack
|
|-
| 958033
| Cross-site Scripting (XSS) Attack
|
|-
| 958034
| Cross-site Scripting (XSS) Attack
|
|-
| 958036
| Cross-site Scripting (XSS) Attack
|
|-
| 958037
| Cross-site Scripting (XSS) Attack
|
|-
| 958038
| Cross-site Scripting (XSS) Attack
|
|-
| 958039
| Cross-site Scripting (XSS) Attack
|
|-
| 958040
| Cross-site Scripting (XSS) Attack
|
|-
| 958041
| Cross-site Scripting (XSS) Attack
|
|-
| 958045
| Cross-site Scripting (XSS) Attack
|
|-
| 958046
| Cross-site Scripting (XSS) Attack
|
|-
| 958047
| Cross-site Scripting (XSS) Attack
|
|-
| 958049
| Cross-site Scripting (XSS) Attack
|
|-
| 958051
| Cross-site Scripting (XSS) Attack
|
|-
| 958052
| Cross-site Scripting (XSS) Attack
|
|-
| 958054
| Cross-site Scripting (XSS) Attack
|
|-
| 958056
| Cross-site Scripting (XSS) Attack
|
|-
| 958057
| Cross-site Scripting (XSS) Attack
|
|-
| 958059
| Cross-site Scripting (XSS) Attack
|
|-
| 958291
| Range: field exists and begins with 0.
| Walter: high FP (Chrome PDF viewer) and not useful.
|-
| 958404
| Cross-site Scripting (XSS) Attack
|
|-
| 958405
| Cross-site Scripting (XSS) Attack
|
|-
| 958406
| Cross-site Scripting (XSS) Attack
|
|-
| 958407
| Cross-site Scripting (XSS) Attack
|
|-
| 958408
| Cross-site Scripting (XSS) Attack
|
|-
| 958409
| Cross-site Scripting (XSS) Attack
|
|-
| 958410
| Cross-site Scripting (XSS) Attack
|
|-
| 958411
| Cross-site Scripting (XSS) Attack
|
|-
| 958412
| Cross-site Scripting (XSS) Attack
|
|-
| 958413
| Cross-site Scripting (XSS) Attack
|
|-
| 958414
| Cross-site Scripting (XSS) Attack
|
|-
| 958415
| Cross-site Scripting (XSS) Attack
|
|-
| 958416
| Cross-site Scripting (XSS) Attack
|
|-
| 958417
| Cross-site Scripting (XSS) Attack
|
|-
| 958418
| Cross-site Scripting (XSS) Attack
|
|-
| 958419
| Cross-site Scripting (XSS) Attack
|
|-
| 958420
| Cross-site Scripting (XSS) Attack
|
|-
| 958421
| Cross-site Scripting (XSS) Attack
|
|-
| 958422
| Cross-site Scripting (XSS) Attack
|
|-
| 958423
| Cross-site Scripting (XSS) Attack
|
|-
| 958976
| PHP Injection Attack
|
|-
| 959070
| SQL Injection Attack
|
|-
| 959071
| SQL Injection Attack
|
|-
| 959072
| SQL Injection Attack
|
|-
| 959073
| SQL Injection Attack
|
|-
| 960014
| Proxy access attempt
|
|-
| 960018
| Invalid character in request
|
|-
| 960020
| Pragma Header requires Cache-Control Header for HTTP/1.1 requests.
| Walter: some FP
|-
| 960022
| UNKNOWN
|
|-
| 960024
| Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
| Walter: many FP
|-
| 960902
| UNKNOWN
|
|-
| 960913
| Invalid request
|
|-
| 970007
| Zope Information Leakage
|
|-
| 970008
| Cold Fusion Information Leakage
|
|-
| 970010
| ISA server existence revealed
|
|-
| 970011
| File or Directory Names Leakage
|
|-
| 970012
| Microsoft Office document properties leakage
|
|-
| 970016
| Cold Fusion source code leakage
| Walter: some FP but not using this language
|-
| 970018
| IIS installed in default location
|
|-
| 970021
| WebLogic information disclosure
|
|-
| 970903
| ASP/JSP source code leakage
| Walter: some FP but not using this language
|-
| 973300
| Possible XSS Attack Detected - HTML Tag Handler
|
|-
| 973301
| XSS Attack Detected
|
|-
| 973302
| XSS Attack Detected
|
|-
| 973303
| XSS Attack Detected
|
|-
| 973304
| XSS Attack Detected
|
|-
| 973305
| XSS Attack Detected
|
|-
| 973306
| XSS Attack Detected
|
|-
| 973307
| XSS Attack Detected
|
|-
| 973308
| XSS Attack Detected
|
|-
| 973309
| XSS Attack Detected
|
|-
| 973310
| XSS Attack Detected
|
|-
| 973311
| XSS Attack Detected
|
|-
| 973312
| XSS Attack Detected
|
|-
| 973313
| XSS Attack Detected
|
|-
| 973314
| XSS Attack Detected
|
|-
| 973316
| IE XSS Filters - Attack Detected.
|
|-
| 973325
| IE XSS Filters - Attack Detected.
|
|-
| 973327
| IE XSS Filters - Attack Detected.
|
|-
| 973328
| IE XSS Filters - Attack Detected.
|
|-
| 973329
| IE XSS Filters - Attack Detected.
|
|-
| 973330
| IE XSS Filters - Attack Detected.
|
|-
| 973331
| IE XSS Filters - Attack Detected.
|
|-
| 973332
| IE XSS Filters - Attack Detected.
|
|-
| 973333
| IE XSS Filters - Attack Detected.
|
|-
| 973334
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973335
| IE XSS Filters - Attack Detected.
| Walter: many FP in text
|-
| 973347
| IE XSS Filters - Attack Detected.
|
|-
| 981000
| Possibly malicious iframe tag in output
| Walter: medium FP
|-
| 981001
| Possibly malicious iframe tag in output
| Walter: medium FP (iframes with display:none)
|-
| 981003
| Malicious iframe+javascript tag in output
|
|-
| 981004
| Potential Obfuscated Javascript in Output - Excessive fromCharCode
| Walter: many FP (Wordpress 4.4 inlined emoji javascripts)
|-
| 981005
| Potential Obfuscated Javascript in Output - Eval+Unescape
|
|-
| 981006
| Potential Obfuscated Javascript in Output - Unescape
|
|-
| 981007
| Potential Obfuscated Javascript in Output - Heap Spray
|
|-
| 981018
| UNKNOWN
|
|-
| 981022
| UNKNOWN
|
|-
| 981133
| UNKNOWN
|
|-
| 981134
| UNKNOWN
|
|-
| 981136
| UNKNOWN
|
|-
| 981172
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981173
| Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
| Walter: many FP
|-
| 981177
| UNKNOWN
|
|-
| 981178
| UNKNOWN
|
|-
| 981231
| SQL Comment Sequence Detected.
|
|-
| 981260
| SQL Hex Encoding Identified
|
|-
| 981300
| UNKNOWN
|
|-
| 981301
| UNKNOWN
|
|-
| 981302
| UNKNOWN
|
|-
| 981303
| UNKNOWN
|
|-
| 981304
| UNKNOWN
|
|-
| 981305
| UNKNOWN
|
|-
| 981306
| UNKNOWN
|
|-
| 981307
| UNKNOWN
|
|-
| 981308
| UNKNOWN
|
|-
| 981309
| UNKNOWN
|
|-
| 981310
| UNKNOWN
|
|-
| 981311
| UNKNOWN
|
|-
| 981312
| UNKNOWN
|
|-
| 981313
| UNKNOWN
|
|-
| 981314
| UNKNOWN
|
|-
| 981315
| UNKNOWN
|
|-
| 981316
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 981317
| SQL SELECT Statement Anomaly Detection Alert
|
|-
| 990012
| Rogue web site crawler
|
|}

====Optional, experimental, slr rules====

{|- class="wikitable"
| 900048
| Identifies Reflected XSS (optional_rules)
| Walter: could be very interesting candidate but have not used it in production
|-
| 920021, 920022, 920023
| Possible Credit Card Track 1 Data Leakage. (experimental_rules)
| Walter: could be interesting candidates but have not used it in production
|-
| 981080, 920020, 920006
| Detect CC# in output and block transaction (optional_rules)
| Walter: could be interesting candidate but have not used it in production
|-
| 900047, 900048, 981180, 981182
| Identifies Stored XSS (optional_rules)
| Walter: could be somewhat interesting candidate but have not used it in production
|}

=== Stricter siblings for existing rules ===

The siblings detection rates and the anomaly ratings are drastically adjusted. To prevent loads of false positives, the rules can be filtered for common FP cases through chaining.

==== 981173 : SQL Injection Character Anomaly Usage ====

Original ID (2.2.X): 981173 
Change: Regex counter decreased to '1', anomaly score set to 'critical' 
FP Filter: UUIDs 

#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.9 Rule 981173.
# The regex limit is set to {1,}, adjust to your own needs.
# For dealing with false positives caused by uuids, the rule is now chained.
# Also the anomaly score is now set to critical.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia level 40',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"

==Project Status==

===Project Status January 30, 2016===

<code>
Hello everybody,

It's time to do a status report of our little core rules project.

I am including Franziska Bühler and Walter Hop in this status mail.
Both are experienced ModSec sysadmins. Franziska contributed to this
first stage, Walter told me he does not have much time, but he
was interested in participating at least in the discussions about
the rules.

All in all, this is taking more time than anticipated. But we
have also done things very throughly than I thought. Which is
generally a good thing.

Done so far:
* Manuel has provided us with a list of rules removed between 2.2.x and 3.0.0rc1
* I have assembled a list of rules known to trigger false positives frequently in the 2.2.x ruleset, they are thus candidates for the paranoia mode
* Franziska has looked through the 3.0.0rc1 rules and identified a set of rules which look like good candidates.
* Noël has sharpened his skills by re-writing 981173 in a way that ignores innocent UUIDs. In my eyes, he found a very elegant solution.
* With the development of 3.0.0-dev, Chaim unfortunately reused rule ids formerly used with optional and experimental rules. Now this has all been renumbered. I have pointed this out in the mailinglist and had private contact with Chaim where he confirmed the fact - and promised to resolve the issue.

We have not really looked at the disappeared rules and identified those
who should be brought back and have not been picked so far. This
includes the 2.2.X base_rules, but also the optional, experimental,
and huge stock of slr rules. Of these three groups, only the
anti-ddos rules have made it into 3.0.0. There are probably more
interesting candidates.

If somebody among you wants to look into these, then that would be
welcome, but I do not want to have these tasks delay us any further.
After all, Old rules can also be brought back in subsequent releases
if we see a benefit.

So the next real tasks are:
* Looking through the list of candidates and cloning-candidates (the latter are those rules we might accompany with a clone with stricter limits in paranoia mode).
* Defining the exact working of the paranoia mode.

Please sit down and look through the rule lists in the wiki and add
remarks with regards to the candidate rules. If you think a rule
should be included, if you think an individual rule should not be
included etc.

I am also going to invite the people on the mailinglist to take look at
the rules as well and add their remarks in the wiki (or respond via mail).
This should allow us to nail down the list of rules which will
actually be included in the paranoia mode.

As for defining the exact working of the paranoia mode, I guess I
need to write down the idea I have in mind and see if it makes sense to
you.

Thank you for contributing so far! It is a lot of fun to work in a team!

Christian

</code>

OWASP ModSec CRS Paranoia Mode

2016-01-28T17:48:15Z

Zino: /* 981173 : SQL Injection Character Anomaly Usage */

OWASP ModSec CRS Paranoia Mode

2016-01-28T13:38:17Z

Zino: 'Stricter siblings for existing rules' added

OWASP ModSec CRS Paranoia Mode

2016-01-12T07:48:02Z

Zino: Tasks

OWASP ModSec CRS Paranoia Mode

2016-01-08T19:55:17Z

Zino: Sub-Project Infos: added "Noël Zindel" to "who", Open Tasks: added "Noël" to Task "stricter siblings"

User:Zino

2016-01-08T19:49:06Z

Zino:

Noël Zindel, Junior IT System Engineer with basic experience in Windows system administration and network administration in Cisco/Checkpoint environments.
Currently working on LPIC-1 certification and ModSecurity CRS Paranoia Mode for V3.0.

Interests in open-source technologies and IT security.

Languages: German and English

Contact me via mail(at)noelzindel(dot)org
GPG KeyID 4BABD7E1