This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
ModSecurity CRS Rule Description Template
- This is a template for submitting or documenting ModSecurity CRS rule/signature descriptions to
the OWASP ModSecurity Core Rule Set (CRS) Project.
- Project participants are encouraged to copy this template and create landing pages for each CRS rule
- Use this template and create a new page using the following format - http://www.owasp.org/index.php?title=ModSecurity_CRS_RuleID-XXXXX (where XXXXX is the CRS ruleID)
- 1 Rule ID: XXXXX
- 2 = Rule Message: Message Text
- 2.1 Rule
- 2.2 Rule Summary
- 2.3 Impact
- 2.4 Detailed Information
- 2.5 Example Payload
- 2.6 Example Audit Log Entry
- 2.7 Affected Software
- 2.8 Attack Scenarios
- 2.9 Ease of Attack
- 2.10 Ease of Detection
- 2.11 False Positives
- 2.12 False Negatives
- 2.13 Corrective Action
- 2.14 Contributors
- 2.15 Additional References
Rule ID: XXXXX
= Rule Message: Message Text
Rule
Provide the entire rule/rule chain here
Rule Summary
Provide rule background. What is the rule looking for? What attack is trying to identify or prevent.
Impact
This should be the Severity rating specified in the rule.
Detailed Information
Provide detailed information about the rule construction such as:
- Why the variable list specified was used
- A description of the regular expression used - what is is looking for in plain english
- What actions are used and why
Example Payload
Provide an example payload that will trigger this rule.
attack payload data
Example Audit Log Entry
Include an example ModSecurity Audit Log Entry for when this rule matchs.
audit log data
Affected Software
If this attack only affects a specific piece of public software (if this is a virtual patch for a public disclosure) specify which info.
Attack Scenarios
Provide any data around "how" the attack is carried out.
Ease of Attack
How easy is it for an attacker to carry out the attack?
Ease of Detection
How easy is it for a defender to use ModSecurity to accurately detect this attack?
False Positives
If there are any known false positives - specify them here
False Negatives
Are there any know issues with evasions or how an attacker might bypass detection?
Corrective Action
Any tuning recommendations for the existing rule?
Contributors
Specify your name and email if you want credit for the rule or documentation of it.
Additional References
Provide any external reference links (e.g. - if this is a virtual patch for a known vuln link to the Bugtraq or CVE page).
