This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSec CRS Paranoia Mode Sibling 958979"
From OWASP
m (→958979 : PHP Injection Attack: Configuration Directive Found) |
(→958979 : PHP Injection Attack: Configuration Directive Found) |
||
Line 4: | Line 4: | ||
{|- class="wikitable" | {|- class="wikitable" | ||
− | | ''' | + | | '''RuleID 2.2.x''' |
+ | | '''RuleID 3.0.0-rc1 (original Rule)''' | ||
+ | | '''RuleID 3.0.0-rc1 (paranoid Rule)''' | ||
| '''Change''' | | '''Change''' | ||
| '''Whitelisting''' | | '''Whitelisting''' | ||
|- | |- | ||
| 958979 | | 958979 | ||
+ | | 933120 | ||
+ | | 933121-933124 | ||
| Rule now triggers on it's own | | Rule now triggers on it's own | ||
| none | | none | ||
Line 18: | Line 22: | ||
# This is a paranoid sibling to 2.2.x Rule 958979. | # This is a paranoid sibling to 2.2.x Rule 958979. | ||
# The rule is no longer chained in order to trigger anomaly scoring. | # The rule is no longer chained in order to trigger anomaly scoring. | ||
− | # For | + | # For 3.0.0-rc1 rule, see 933120. |
# | # | ||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-config-directives.data" \ | SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-config-directives.data" \ |
Latest revision as of 09:29, 10 March 2016
This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.
958979 : PHP Injection Attack: Configuration Directive Found
RuleID 2.2.x | RuleID 3.0.0-rc1 (original Rule) | RuleID 3.0.0-rc1 (paranoid Rule) | Change | Whitelisting |
958979 | 933120 | 933121-933124 | Rule now triggers on it's own | none |
# # [ PHP Configuration Directives ] # # This is a paranoid sibling to 2.2.x Rule 958979. # The rule is no longer chained in order to trigger anomaly scoring. # For 3.0.0-rc1 rule, see 933120. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-config-directives.data" \ "msg:'PHP Injection Attack: Configuration Directive Found',\ phase:request,\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'1',\ accuracy:'8',\ t:none,t:normalisePath,\ ctl:auditLogParts=+E,\ block,\ id:'XXXXXX',\ tag:'application-multi',\ tag:'language-PHP',\ tag:'platform-multi',\ tag:'attack-PHP injection',\ tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ tag:'OWASP_TOP_10/A1',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"