This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ModSecurity CRS Rule Description Template"
From OWASP
(Created page with ' - This is a template for submitting or documenting ModSecurity CRS rule/signature descriptions to the OWASP ModSecurity Core Rule Set (CRS) Project. - Project participants…') |
(→Rule ID: XXXXX) |
||
| (9 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
== Rule ID: XXXXX == | == Rule ID: XXXXX == | ||
| − | + | <table style="border-style:double;border-width:3px;" > | |
| − | === Rule = | + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule ID</td> |
| − | + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | |
| − | + | Place Rule ID Here | |
| − | = | + | </td></tr> |
| + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Message</td> | ||
| + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
| + | Place Rule Message Here | ||
| + | </td></tr> | ||
| + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Summary</td> | ||
| + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
Provide rule background. What is the rule looking for? What attack is trying to identify or prevent. | Provide rule background. What is the rule looking for? What attack is trying to identify or prevent. | ||
| − | + | </td></tr> | |
| − | == | + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Impact</td> |
| − | This should be the Severity rating specified in the rule. | + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > |
| − | + | This should be the Severity rating specified in the rule. (Example: 4 - Warning) | |
| − | === Detailed Information = | + | </td></tr> |
| + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule</td> | ||
| + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
| + | <code>Provide the entire rule/rule chain here</code> | ||
| + | </td></tr> | ||
| + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Detailed Rule Information</td> | ||
| + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
Provide detailed information about the rule construction such as: | Provide detailed information about the rule construction such as: | ||
*Why the variable list specified was used | *Why the variable list specified was used | ||
| − | |||
*What actions are used and why | *What actions are used and why | ||
| + | <pre> | ||
| + | A description of the regular expression used - what is is looking for in plain english (Example RegEx analysis from Expresso tool) | ||
| + | </pre> | ||
| + | </td></tr> | ||
| + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Example Payload</td> | ||
| + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
| + | Provide an example payload that will trigger this rule. | ||
| − | == | + | Example Apache log entry or HTTP payload captured by another tool |
| − | + | </td></tr> | |
| − | + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Example Audit Log Entry</td> | |
| − | = | + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > |
| + | Include an example ModSecurity Audit Log Entry for when this rule matchs. | ||
| + | <pre> | ||
| + | Audit Log Entry | ||
| + | </pre> | ||
| + | </td></tr> | ||
| + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Attack Scenarios</td> | ||
| + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
Provide any data around "how" the attack is carried out. | Provide any data around "how" the attack is carried out. | ||
| − | + | </td></tr> | |
| − | = | + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Ease of Attack</td> |
| + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
How easy is it for an attacker to carry out the attack? | How easy is it for an attacker to carry out the attack? | ||
| − | + | </td></tr> | |
| − | = | + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Ease of Detection</td> |
| + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
How easy is it for a defender to use ModSecurity to accurately detect this attack? | How easy is it for a defender to use ModSecurity to accurately detect this attack? | ||
| − | + | </td></tr> | |
| − | = | + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >False Positives</td> |
| + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
If there are any known false positives - specify them here | If there are any known false positives - specify them here | ||
| + | Also sign-up for the Reporting False Positives mail-list here: | ||
| + | https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives | ||
| − | = | + | Send FP Report emails here: |
| + | mod-security-report-false-positives[[Image:Justat.gif|10x]]lists.sourceforge.net | ||
| + | </td></tr> | ||
| + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >False Negatives</td> | ||
| + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
Are there any know issues with evasions or how an attacker might bypass detection? | Are there any know issues with evasions or how an attacker might bypass detection? | ||
| − | + | </td></tr> | |
| − | === | + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Maturity</td> |
| − | + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | |
| − | + | 10 point scale (0-9) where:<br>0 = Beta/Experimental <br>9 = Heavily Tested | |
| − | === | + | </td></tr> |
| + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Accuracy</td> | ||
| + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
| + | 10 point scale (0-9) where:<br>0 = High % of FP<br>5 = No false positives reported | ||
| + | </td></tr> | ||
| + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td> | ||
| + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
Specify your name and email if you want credit for the rule or documentation of it. | Specify your name and email if you want credit for the rule or documentation of it. | ||
| + | Example: Ryan Barnett - ryan.barnett[[Image:Justat.gif|10px]]owasp.org | ||
| + | </td></tr> | ||
| + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Additional References</td> | ||
| + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
| + | Provide any external reference links (e.g. - if this is a virtual patch for a known vuln link to the Bugtraq or CVE page). | ||
| + | </td></tr> | ||
| + | </table> | ||
| − | + | [[Category:OWASP ModSecurity Core Rule Set Project]] | |
| − | |||
Latest revision as of 17:27, 9 May 2011
- This is a template for submitting or documenting ModSecurity CRS rule/signature descriptions to
the OWASP ModSecurity Core Rule Set (CRS) Project.
- Project participants are encouraged to copy this template and create landing pages for each CRS rule
- Use this template and create a new page using the following format - http://www.owasp.org/index.php?title=ModSecurity_CRS_RuleID-XXXXX (where XXXXX is the CRS ruleID)
Rule ID: XXXXX
| Rule ID |
Place Rule ID Here |
| Rule Message |
Place Rule Message Here |
| Rule Summary |
Provide rule background. What is the rule looking for? What attack is trying to identify or prevent. |
| Impact |
This should be the Severity rating specified in the rule. (Example: 4 - Warning) |
| Rule |
|
| Detailed Rule Information |
Provide detailed information about the rule construction such as:
A description of the regular expression used - what is is looking for in plain english (Example RegEx analysis from Expresso tool) |
| Example Payload |
Provide an example payload that will trigger this rule. Example Apache log entry or HTTP payload captured by another tool |
| Example Audit Log Entry |
Include an example ModSecurity Audit Log Entry for when this rule matchs. Audit Log Entry |
| Attack Scenarios |
Provide any data around "how" the attack is carried out. |
| Ease of Attack |
How easy is it for an attacker to carry out the attack? |
| Ease of Detection |
How easy is it for a defender to use ModSecurity to accurately detect this attack? |
| False Positives |
If there are any known false positives - specify them here Also sign-up for the Reporting False Positives mail-list here: https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives Send FP Report emails here:
mod-security-report-false-positives |
| False Negatives |
Are there any know issues with evasions or how an attacker might bypass detection? |
| Rule Maturity |
10 point scale (0-9) where: |
| Rule Accuracy |
10 point scale (0-9) where: |
| Rule Documentation Contributor(s) |
Specify your name and email if you want credit for the rule or documentation of it.
Example: Ryan Barnett - ryan.barnett |
| Additional References |
Provide any external reference links (e.g. - if this is a virtual patch for a known vuln link to the Bugtraq or CVE page). |
