This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP ModSec CRS Paranoia Mode Sibling 981172

From OWASP
Revision as of 06:45, 15 March 2016 by Zino (talk | contribs) (981172 : SQL Injection Character Anomaly Usage)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.

981172 : SQL Injection Character Anomaly Usage

RuleID 2.2.x RuleID 3.0.0-rc1 (original Rule) RuleID 3.0.0-rc1 (paranoid Rule) Change Whitelisting
981172 942420 942421-942424 Regex counter decreased from 8 to 2.
Anomaly scoring increased to critical.
None
 #
 # -=[ SQL Injection Character Anomaly Usage  ]=-
 #
 # This is a paranoid sibling to 2.2.9 Rule 981172.
 # The regex limit is set to '2' and the anomaly scoring is increased to 'critical'.
 #
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){2,}"
       "capture,\
       phase:request,\
       rev:'2',\
       ver:'OWASP_CRS/3.0.0',\
       maturity:'X',\
       accuracy:'Y',\
       t:none,t:urlDecodeUni,\
       block,\
       msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
       id:'XXXXXX',\
       tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
       tag:'Paranoia rule on level Z',\
       logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
       severity:'CRITICAL',\
       setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
       setvar:tx.sql_injection_score=+1,\
       setvar:'tx.msg=%{rule.msg}',\
       setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"