This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP ModSec CRS Paranoia Mode Sibling 981173"

From OWASP
Jump to: navigation, search
(additional Rule ID information added to table)
(981173 : SQL Injection Character Anomaly Usage)
 
(2 intermediate revisions by 2 users not shown)
Line 11: Line 11:
 
|-
 
|-
 
  | 981173
 
  | 981173
  | none
+
  | 942430
  | tbd
+
  | 942431-942434
  | Regex counter decreased from 4 to 1.<br>Anomaly scoring increased to critical
+
  | Regex counter decreased from 4 to 1.<br>Anomaly scoring increased to critical.
 
  | Regex for UUIDs in chained Rule
 
  | Regex for UUIDs in chained Rule
 
|}
 
|}
Line 23: Line 23:
 
   # The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
 
   # The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
 
   # For dealing with false positives, UUID format is whitelisted with a chained rule.
 
   # For dealing with false positives, UUID format is whitelisted with a chained rule.
 +
  # For 3.0.0-rc1 rule, see FIXME.
 
   #
 
   #
 
   SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
 
   SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
Line 45: Line 46:
 
                 setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
 
                 setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
 
                 setvar:tx.sql_injection_score=+1"
 
                 setvar:tx.sql_injection_score=+1"
 +
 +
[[Category:OWASP ModSecurity Core Rule Set Project]]

Latest revision as of 06:44, 15 March 2016

This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.

981173 : SQL Injection Character Anomaly Usage

RuleID 2.2.x RuleID 3.0.0-rc1 (original Rule) RuleID 3.0.0-rc1 (paranoid Rule) Change Whitelisting
981173 942430 942431-942434 Regex counter decreased from 4 to 1.
Anomaly scoring increased to critical.
Regex for UUIDs in chained Rule
 #
 # -=[ SQL Injection Character Anomaly Usage ]=-
 #
 # This is a paranoid sibling to 2.2.x Rule 981173.
 # The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
 # For dealing with false positives, UUID format is whitelisted with a chained rule.
 # For 3.0.0-rc1 rule, see FIXME.
 #
 SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
       "chain,\
       phase:request,\
       rev:'2',\
       ver:'OWASP_CRS/3.0.0',\
       maturity:'X',\
       accuracy:'Y',\
       t:none,t:urlDecodeUni,\
       block,\
       msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
       id:'XXXXXX',\
       tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
       tag:'Paranoia rule on level Z',\
       logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
       severity:'CRITICAL',\
       setvar:'tx.msg=%{rule.msg}',\
       setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
       SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
               "t:lowercase,\
               setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
               setvar:tx.sql_injection_score=+1"