This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSec CRS Paranoia Mode Sibling 981173"
From OWASP
(additional Rule ID information added to table) |
(→981173 : SQL Injection Character Anomaly Usage) |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 11: | Line 11: | ||
|- | |- | ||
| 981173 | | 981173 | ||
− | | | + | | 942430 |
− | | | + | | 942431-942434 |
− | | Regex counter decreased from 4 to 1.<br>Anomaly scoring increased to critical | + | | Regex counter decreased from 4 to 1.<br>Anomaly scoring increased to critical. |
| Regex for UUIDs in chained Rule | | Regex for UUIDs in chained Rule | ||
|} | |} | ||
Line 23: | Line 23: | ||
# The regex limit is set to '1' and the anomaly scoring is increased to 'critical'. | # The regex limit is set to '1' and the anomaly scoring is increased to 'critical'. | ||
# For dealing with false positives, UUID format is whitelisted with a chained rule. | # For dealing with false positives, UUID format is whitelisted with a chained rule. | ||
+ | # For 3.0.0-rc1 rule, see FIXME. | ||
# | # | ||
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\ | SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\ | ||
Line 45: | Line 46: | ||
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ | ||
setvar:tx.sql_injection_score=+1" | setvar:tx.sql_injection_score=+1" | ||
+ | |||
+ | [[Category:OWASP ModSecurity Core Rule Set Project]] |
Latest revision as of 06:44, 15 March 2016
This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.
981173 : SQL Injection Character Anomaly Usage
RuleID 2.2.x | RuleID 3.0.0-rc1 (original Rule) | RuleID 3.0.0-rc1 (paranoid Rule) | Change | Whitelisting |
981173 | 942430 | 942431-942434 | Regex counter decreased from 4 to 1. Anomaly scoring increased to critical. |
Regex for UUIDs in chained Rule |
# # -=[ SQL Injection Character Anomaly Usage ]=- # # This is a paranoid sibling to 2.2.x Rule 981173. # The regex limit is set to '1' and the anomaly scoring is increased to 'critical'. # For dealing with false positives, UUID format is whitelisted with a chained rule. # For 3.0.0-rc1 rule, see FIXME. # SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\ "chain,\ phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'X',\ accuracy:'Y',\ t:none,t:urlDecodeUni,\ block,\ msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\ id:'XXXXXX',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'Paranoia rule on level Z',\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\ "t:lowercase,\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.sql_injection_score=+1"