This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ModSecurity CRS Rule Description Template"
| Line 63: | Line 63: | ||
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
If there are any known false positives - specify them here | If there are any known false positives - specify them here | ||
| + | Also sign-up for the Reporting False Positives mail-list here: | ||
| + | https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives | ||
| + | |||
| + | Send FP Report emails here: | ||
| + | mod-security-report-false-positives[[Image:Justat.gif|10x]]lists.sourceforge.net | ||
</td></tr> | </td></tr> | ||
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >False Negatives</td> | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >False Negatives</td> | ||
Revision as of 14:31, 6 May 2011
- This is a template for submitting or documenting ModSecurity CRS rule/signature descriptions to
the OWASP ModSecurity Core Rule Set (CRS) Project.
- Project participants are encouraged to copy this template and create landing pages for each CRS rule
- Use this template and create a new page using the following format - http://www.owasp.org/index.php?title=ModSecurity_CRS_RuleID-XXXXX (where XXXXX is the CRS ruleID)
Rule ID: XXXXX
| Rule ID |
Place Rule ID Here |
| Rule Message |
Place Rule Message Here |
| Rule Summary |
Provide rule background. What is the rule looking for? What attack is trying to identify or prevent. |
| Impact |
This should be the Severity rating specified in the rule. (Example: 4 - Warning) |
| Rule |
|
| Detailed Rule Information |
Provide detailed information about the rule construction such as:
A description of the regular expression used - what is is looking for in plain english (Example RegEx analysis from Expresso tool) |
| Example Payload |
Provide an example payload that will trigger this rule. Example Apache log entry or HTTP payload captured by another tool |
| Example Audit Log Entry |
Include an example ModSecurity Audit Log Entry for when this rule matchs. Audit Log Entry |
| Attack Scenarios |
Provide any data around "how" the attack is carried out. |
| Ease of Attack |
How easy is it for an attacker to carry out the attack? |
| Ease of Detection |
How easy is it for a defender to use ModSecurity to accurately detect this attack? |
| False Positives |
If there are any known false positives - specify them here Also sign-up for the Reporting False Positives mail-list here: https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives Send FP Report emails here:
mod-security-report-false-positives |
| False Negatives |
Are there any know issues with evasions or how an attacker might bypass detection? |
| Rule Accuracy Level |
5 point scale where: |
| Rule Documentation Contributor(s) |
Specify your name and email if you want credit for the rule or documentation of it.
Example: Ryan Barnett - ryan.barnett |
| Additional References |
Provide any external reference links (e.g. - if this is a virtual patch for a known vuln link to the Bugtraq or CVE page). |
