This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSec CRS Paranoia Mode Sibling 958980"
From OWASP
(Created page with "''This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.'' == 958980 : PHP Injection Attack: Variables...") |
|||
| Line 9: | Line 9: | ||
|- | |- | ||
| 958980 | | 958980 | ||
| − | | | + | | Rule now triggers on it's own |
| none | | none | ||
|} | |} | ||
| Line 27: | Line 27: | ||
maturity:'1',\ | maturity:'1',\ | ||
accuracy:'8',\ | accuracy:'8',\ | ||
| − | |||
t:none,t:normalisePath,\ | t:none,t:normalisePath,\ | ||
ctl:auditLogParts=+E,\ | ctl:auditLogParts=+E,\ | ||
Revision as of 08:22, 23 February 2016
This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.
958980 : PHP Injection Attack: Variables Found
| Original ID (2.2.x) | Change | Whitelisting |
| 958980 | Rule now triggers on it's own | none |
#
# [ PHP Variables ]
#
# This is a paranoid sibling to 2.2.x Rule 958980.
# The rule is no longer chained in order to trigger anomaly scoring.
# For chain-based scoring see 3.0.0 Rule 933130.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-variables.data" \
"msg:'PHP Injection Attack: Variables Found',\
phase:request,\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'1',\
accuracy:'8',\
t:none,t:normalisePath,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-PHP',\
tag:'platform-multi',\
tag:'attack-PHP injection',\
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
tag:'OWASP_TOP_10/A1',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
