Difference between revisions of "OWASP ModSec CRS Paranoia Mode Sibling 981173"

Latest revision as of 06:44, 15 March 2016

This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.

981173 : SQL Injection Character Anomaly Usage

RuleID 2.2.x	RuleID 3.0.0-rc1 (original Rule)	RuleID 3.0.0-rc1 (paranoid Rule)	Change	Whitelisting
981173	942430	942431-942434	Regex counter decreased from 4 to 1. Anomaly scoring increased to critical.	Regex for UUIDs in chained Rule

 #
 # -=[ SQL Injection Character Anomaly Usage ]=-
 #
 # This is a paranoid sibling to 2.2.x Rule 981173.
 # The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
 # For dealing with false positives, UUID format is whitelisted with a chained rule.
 # For 3.0.0-rc1 rule, see FIXME.
 #
 SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
       "chain,\
       phase:request,\
       rev:'2',\
       ver:'OWASP_CRS/3.0.0',\
       maturity:'X',\
       accuracy:'Y',\
       t:none,t:urlDecodeUni,\
       block,\
       msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
       id:'XXXXXX',\
       tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
       tag:'Paranoia rule on level Z',\
       logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
       severity:'CRITICAL',\
       setvar:'tx.msg=%{rule.msg}',\
       setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
       SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
               "t:lowercase,\
               setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
               setvar:tx.sql_injection_score=+1"

@@ Line 1: / Line 1: @@
-==== 981173 : SQL Injection Character Anomaly Usage ====
+''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].''
-Original ID (2.2.X): 981173<br>
+== 981173 : SQL Injection Character Anomaly Usage ==
-Change: Regex counter decreased to '1', anomaly score set to 'critical', paranoia tag added<br>
-FP Filter: UUIDs<br>
+{|- class="wikitable"
+ | '''RuleID 2.2.x'''
+ | '''RuleID 3.0.0-rc1 (original Rule)'''
+ | '''RuleID 3.0.0-rc1 (paranoid Rule)'''
+ | '''Change'''
+ | '''Whitelisting'''
+|-
+ | 981173
+ | 942430
+ | 942431-942434
+ | Regex counter decreased from 4 to 1.<br>Anomaly scoring increased to critical.
+ | Regex for UUIDs in chained Rule
+|}
    #
    # -=[ SQL Injection Character Anomaly Usage ]=-
    #
-   # This is a paranoid sibling to 2.2.9 Rule 981173.
+   # This is a paranoid sibling to 2.2.x Rule 981173.
-   # The regex limit is set to {1,}, adjust to your own needs.
+   # The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
-   # For dealing with false positives caused by uuids, the rule is now chained.
+   # For dealing with false positives, UUID format is whitelisted with a chained rule.
-   # Also the anomaly score is now set to critical.
+   # For 3.0.0-rc1 rule, see FIXME.
    #
    SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
@@ Line 25: / Line 37: @@
          id:'XXXXXX',\
          tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
-         tag:'Paranoia rule on level 40',\
+         tag:'Paranoia rule on level Z',\
          logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
          severity:'CRITICAL',\
@@ Line 34: / Line 46: @@
                  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
                  setvar:tx.sql_injection_score=+1"
+[[Category:OWASP ModSecurity Core Rule Set Project]]

Difference between revisions of "OWASP ModSec CRS Paranoia Mode Sibling 981173"

Latest revision as of 06:44, 15 March 2016

981173 : SQL Injection Character Anomaly Usage

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools