This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ModSecurity CRS Rule Description Template"
| Line 67: | Line 67: | ||
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
Are there any know issues with evasions or how an attacker might bypass detection? | Are there any know issues with evasions or how an attacker might bypass detection? | ||
| + | </td></tr> | ||
| + | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Accuracy Level</td> | ||
| + | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
| + | '''5''' <br>5 point scale where:<br>1 = Beta/Experimental and/or high number of false positives reported<br>5 = Strong Rule and/or no false positives reported | ||
</td></tr> | </td></tr> | ||
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td> | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td> | ||
Revision as of 14:20, 6 May 2011
- This is a template for submitting or documenting ModSecurity CRS rule/signature descriptions to
the OWASP ModSecurity Core Rule Set (CRS) Project.
- Project participants are encouraged to copy this template and create landing pages for each CRS rule
- Use this template and create a new page using the following format - http://www.owasp.org/index.php?title=ModSecurity_CRS_RuleID-XXXXX (where XXXXX is the CRS ruleID)
Rule ID: XXXXX
| Rule ID |
Place Rule ID Here |
| Rule Message |
Place Rule Message Here |
| Rule Summary |
Provide rule background. What is the rule looking for? What attack is trying to identify or prevent. |
| Impact |
This should be the Severity rating specified in the rule. (Example: 4 - Warning) |
| Rule |
|
| Detailed Rule Information |
Provide detailed information about the rule construction such as:
A description of the regular expression used - what is is looking for in plain english (Example RegEx analysis from Expresso tool) |
| Example Payload |
Provide an example payload that will trigger this rule. Example Apache log entry or HTTP payload captured by another tool |
| Example Audit Log Entry |
Include an example ModSecurity Audit Log Entry for when this rule matchs. Audit Log Entry |
| Attack Scenarios |
Provide any data around "how" the attack is carried out. |
| Ease of Attack |
How easy is it for an attacker to carry out the attack? |
| Ease of Detection |
How easy is it for a defender to use ModSecurity to accurately detect this attack? |
| False Positives |
If there are any known false positives - specify them here |
| False Negatives |
Are there any know issues with evasions or how an attacker might bypass detection? |
| Rule Accuracy Level |
5 |
| Rule Documentation Contributor(s) |
Specify your name and email if you want credit for the rule or documentation of it.
Example: Ryan Barnett - rcbarnett |
| Additional References |
Provide any external reference links (e.g. - if this is a virtual patch for a known vuln link to the Bugtraq or CVE page). |
