This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP ModSec CRS Paranoia Mode Sibling 950001
From OWASP
Revision as of 08:43, 24 February 2016 by Zino (talk | contribs) (Created page with "''This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.'' == 950001 : SQL Injection Attack == {|- cla...")
This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.
950001 : SQL Injection Attack
| Original ID (2.2.x) | Change | Whitelisting |
| 950001 | Rule now triggers on it's own | none |
#
# -=[ SQL Function Names ]=-
#
# This is a paranoid sibling to 2.2.x Rule 950001.
# The rule is no longer chained in order to trigger anomaly scoring.
# For chain-based scoring see 3.0.0 Rule 942150.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf sql-function-names.data" \
"msg:'SQL Injection Attack',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/2.2.6',\
maturity:'9',\
accuracy:'8',\
capture,\
t:none,t:urlDecodeUni,\
ctl:auditLogParts=+E,\
block,\
id:'XXXXXX',\
tag:'application-multi',\
tag:'language-mutli',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL'
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
