This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSec CRS Paranoia Mode Sibling 981173"
From OWASP
m |
(→981173 : SQL Injection Character Anomaly Usage) |
||
| Line 4: | Line 4: | ||
{|- class="wikitable" | {|- class="wikitable" | ||
| − | | ''' | + | | '''RuleID 2.2.x''' |
| + | | '''RuleID 3.0.0-rc1''' | ||
| '''Change''' | | '''Change''' | ||
| '''Whitelisting''' | | '''Whitelisting''' | ||
|- | |- | ||
| 981173 | | 981173 | ||
| − | | Regex counter decreased from 4 to 1.<br>Anomaly scoring increased to critical | + | | none |
| − | | Regex for UUIDs in chained Rule | + | | Regex counter decreased from 4 to 1.<br>Anomaly scoring increased to critical |
| + | | Regex for UUIDs in chained Rule | ||
|} | |} | ||
| Line 16: | Line 18: | ||
# -=[ SQL Injection Character Anomaly Usage ]=- | # -=[ SQL Injection Character Anomaly Usage ]=- | ||
# | # | ||
| − | # This is a paranoid sibling to 2.2. | + | # This is a paranoid sibling to 2.2.x Rule 981173. |
# The regex limit is set to '1' and the anomaly scoring is increased to 'critical'. | # The regex limit is set to '1' and the anomaly scoring is increased to 'critical'. | ||
# For dealing with false positives, UUID format is whitelisted with a chained rule. | # For dealing with false positives, UUID format is whitelisted with a chained rule. | ||
Revision as of 19:44, 1 March 2016
This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.
981173 : SQL Injection Character Anomaly Usage
| RuleID 2.2.x | RuleID 3.0.0-rc1 | Change | Whitelisting |
| 981173 | none | Regex counter decreased from 4 to 1. Anomaly scoring increased to critical |
Regex for UUIDs in chained Rule |
#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.x Rule 981173.
# The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
# For dealing with false positives, UUID format is whitelisted with a chained rule.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level Z',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"
