This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSec CRS Paranoia Mode Sibling 981172"
From OWASP
(→981172 : SQL Injection Character Anomaly Usage) |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 4: | Line 4: | ||
{|- class="wikitable" | {|- class="wikitable" | ||
| − | | ''' | + | | '''RuleID 2.2.x''' |
| + | | '''RuleID 3.0.0-rc1 (original Rule)''' | ||
| + | | '''RuleID 3.0.0-rc1 (paranoid Rule)''' | ||
| '''Change''' | | '''Change''' | ||
| '''Whitelisting''' | | '''Whitelisting''' | ||
|- | |- | ||
| 981172 | | 981172 | ||
| + | | 942420 | ||
| + | | 942421-942424 | ||
| Regex counter decreased from 8 to 2.<br>Anomaly scoring increased to critical. | | Regex counter decreased from 8 to 2.<br>Anomaly scoring increased to critical. | ||
| None | | None | ||
Latest revision as of 06:45, 15 March 2016
This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.
981172 : SQL Injection Character Anomaly Usage
| RuleID 2.2.x | RuleID 3.0.0-rc1 (original Rule) | RuleID 3.0.0-rc1 (paranoid Rule) | Change | Whitelisting |
| 981172 | 942420 | 942421-942424 | Regex counter decreased from 8 to 2. Anomaly scoring increased to critical. |
None |
#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.9 Rule 981172.
# The regex limit is set to '2' and the anomaly scoring is increased to 'critical'.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){2,}"
"capture,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level Z',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1,\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
