This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP ModSec CRS Paranoia Mode Sibling 981172
From OWASP
Revision as of 06:45, 15 March 2016 by Zino (talk | contribs) (→981172 : SQL Injection Character Anomaly Usage)
This page contains a proposal for a stricter rule-clone for ModSecurity CRS Paranoia Mode.
981172 : SQL Injection Character Anomaly Usage
RuleID 2.2.x | RuleID 3.0.0-rc1 (original Rule) | RuleID 3.0.0-rc1 (paranoid Rule) | Change | Whitelisting |
981172 | 942420 | 942421-942424 | Regex counter decreased from 8 to 2. Anomaly scoring increased to critical. |
None |
# # -=[ SQL Injection Character Anomaly Usage ]=- # # This is a paranoid sibling to 2.2.9 Rule 981172. # The regex limit is set to '2' and the anomaly scoring is increased to 'critical'. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){2,}" "capture,\ phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'X',\ accuracy:'Y',\ t:none,t:urlDecodeUni,\ block,\ msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\ id:'XXXXXX',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'Paranoia rule on level Z',\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.sql_injection_score=+1,\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"