This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSec CRS Paranoia Mode Sibling 981173"
From OWASP
m |
(→981173 : SQL Injection Character Anomaly Usage: - table added for clearness) |
||
| Line 1: | Line 1: | ||
''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].'' | ''This page contains a proposal for a stricter rule-clone for [[OWASP_ModSec_CRS_Paranoia_Mode|ModSecurity CRS Paranoia Mode]].'' | ||
| − | + | == 981173 : SQL Injection Character Anomaly Usage == | |
| − | Original ID (2.2. | + | {|- class="wikitable" |
| − | + | | '''Original ID (2.2.x)''' | |
| − | + | | '''Change''' | |
| + | | '''Whitelisting''' | ||
| + | |- | ||
| + | | 981173 | ||
| + | | Regex counter decreased from 4 to 1.<br>Anomaly scoring increased to critical. | ||
| + | | Regex for UUIDs in chained Rule. | ||
| + | |} | ||
# | # | ||
| Line 10: | Line 16: | ||
# | # | ||
# This is a paranoid sibling to 2.2.9 Rule 981173. | # This is a paranoid sibling to 2.2.9 Rule 981173. | ||
| − | # The regex limit is set to | + | # The regex limit is set to '1' and the anomaly scoring is increased to 'critical'. |
| − | # For dealing with false positives | + | # For dealing with false positives, UUID format is whitelisted with a chained rule. |
| − | |||
# | # | ||
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\ | SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\ | ||
Revision as of 08:05, 10 February 2016
This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.
981173 : SQL Injection Character Anomaly Usage
| Original ID (2.2.x) | Change | Whitelisting |
| 981173 | Regex counter decreased from 4 to 1. Anomaly scoring increased to critical. |
Regex for UUIDs in chained Rule. |
#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.9 Rule 981173.
# The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
# For dealing with false positives, UUID format is whitelisted with a chained rule.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level 40',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"
