This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSec CRS Paranoia Mode Sibling 981173"
From OWASP
(→981173 : SQL Injection Character Anomaly Usage) |
(additional Rule ID information added to table) |
||
| Line 5: | Line 5: | ||
{|- class="wikitable" | {|- class="wikitable" | ||
| '''RuleID 2.2.x''' | | '''RuleID 2.2.x''' | ||
| − | | '''RuleID 3.0.0-rc1''' | + | | '''RuleID 3.0.0-rc1 (original Rule)''' |
| + | | '''RuleID 3.0.0-rc1 (paranoid Rule)''' | ||
| '''Change''' | | '''Change''' | ||
| '''Whitelisting''' | | '''Whitelisting''' | ||
| Line 11: | Line 12: | ||
| 981173 | | 981173 | ||
| none | | none | ||
| + | | tbd | ||
| Regex counter decreased from 4 to 1.<br>Anomaly scoring increased to critical | | Regex counter decreased from 4 to 1.<br>Anomaly scoring increased to critical | ||
| Regex for UUIDs in chained Rule | | Regex for UUIDs in chained Rule | ||
Revision as of 19:47, 1 March 2016
This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.
981173 : SQL Injection Character Anomaly Usage
| RuleID 2.2.x | RuleID 3.0.0-rc1 (original Rule) | RuleID 3.0.0-rc1 (paranoid Rule) | Change | Whitelisting |
| 981173 | none | tbd | Regex counter decreased from 4 to 1. Anomaly scoring increased to critical |
Regex for UUIDs in chained Rule |
#
# -=[ SQL Injection Character Anomaly Usage ]=-
#
# This is a paranoid sibling to 2.2.x Rule 981173.
# The regex limit is set to '1' and the anomaly scoring is increased to 'critical'.
# For dealing with false positives, UUID format is whitelisted with a chained rule.
#
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){1,}"\
"chain,\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'X',\
accuracy:'Y',\
t:none,t:urlDecodeUni,\
block,\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
id:'XXXXXX',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'Paranoia rule on level Z',\
logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule MATCHED_VARS "!@rx ^[a-f0-9-]{36}$"\
"t:lowercase,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.sql_injection_score=+1"
