This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSec CRS Paranoia Mode"
From OWASP
(List of 2.2.X ids missing in 3.0.0.) |
|||
| Line 288: | Line 288: | ||
| candidate | | candidate | ||
| Christian's 2.2.X experience: frequently false positives | | Christian's 2.2.X experience: frequently false positives | ||
| + | |} | ||
| + | |||
| + | |||
| + | ===Rules from 2.2.X, missing in 3.0.0-rc1=== | ||
| + | |||
| + | It looks as if only the base_rules made it into 3.0.0. In fact there are a few rule ids know from the optional and experimental rule folders in 2.2.X, but it is more likely, these are new 3.0.0 rules reusing old rule ids as the rules (regexes and msg) do not match at all. | ||
| + | |||
| + | When trying to generate the list below, be aware that the rule ids have been renumbered between 3.0.0-dev and 3.0.0-rc1. IdNumbering.csv in your friend. | ||
| + | |||
| + | |||
| + | {|- class="wikitable" | ||
| + | |'''2.2.X rule id''' | ||
| + | | '''msg''' | ||
| + | | '''remarks''' | ||
| + | |- | ||
| + | | 950002 | ||
| + | | System Command Access | ||
| + | | | ||
| + | |- | ||
| + | | 950006 | ||
| + | | System Command Injection | ||
| + | | | ||
| + | |- | ||
| + | | 950007 | ||
| + | | Blind SQL Injection Attack | ||
| + | | | ||
| + | |- | ||
| + | | 950008 | ||
| + | | Injection of Undocumented ColdFusion Tags | ||
| + | | | ||
| + | |- | ||
| + | | 950010 | ||
| + | | LDAP Injection Attack | ||
| + | | | ||
| + | |- | ||
| + | | 950011 | ||
| + | | SSI injection Attack | ||
| + | | | ||
| + | |- | ||
| + | | 950018 | ||
| + | | Universal PDF XSS URL Detected. | ||
| + | | | ||
| + | |- | ||
| + | | 950019 | ||
| + | | Email Injection Attack | ||
| + | | | ||
| + | |- | ||
| + | | 950908 | ||
| + | | SQL Injection Attack. | ||
| + | | | ||
| + | |- | ||
| + | | 950921 | ||
| + | | Backdoor access | ||
| + | | | ||
| + | |- | ||
| + | | 950922 | ||
| + | | Backdoor access | ||
| + | | | ||
| + | |- | ||
| + | | 958000 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958001 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958002 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958003 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958004 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958005 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958006 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958007 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958008 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958009 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958010 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958011 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958012 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958013 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958016 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958017 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958018 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958019 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958020 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958022 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958023 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958024 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958025 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958026 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958027 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958028 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958030 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958031 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958032 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958033 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958034 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958036 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958037 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958038 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958039 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958040 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958041 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958045 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958046 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958047 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958049 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958051 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958052 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958054 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958056 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958057 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958059 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958291 | ||
| + | | Range: field exists and begins with 0. | ||
| + | | | ||
| + | |- | ||
| + | | 958404 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958405 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958406 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958407 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958408 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958409 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958410 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958411 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958412 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958413 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958414 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958415 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958416 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958417 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958418 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958419 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958420 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958421 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958422 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958423 | ||
| + | | Cross-site Scripting (XSS) Attack | ||
| + | | | ||
| + | |- | ||
| + | | 958976 | ||
| + | | PHP Injection Attack | ||
| + | | | ||
| + | |- | ||
| + | | 959070 | ||
| + | | SQL Injection Attack | ||
| + | | | ||
| + | |- | ||
| + | | 959071 | ||
| + | | SQL Injection Attack | ||
| + | | | ||
| + | |- | ||
| + | | 959072 | ||
| + | | SQL Injection Attack | ||
| + | | | ||
| + | |- | ||
| + | | 959073 | ||
| + | | SQL Injection Attack | ||
| + | | | ||
| + | |- | ||
| + | | 960014 | ||
| + | | Proxy access attempt | ||
| + | | | ||
| + | |- | ||
| + | | 960018 | ||
| + | | Invalid character in request | ||
| + | | | ||
| + | |- | ||
| + | | 960020 | ||
| + | | Pragma Header requires Cache-Control Header for HTTP/1.1 requests. | ||
| + | | | ||
| + | |- | ||
| + | | 960022 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 960024 | ||
| + | | Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters | ||
| + | | | ||
| + | |- | ||
| + | | 960902 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 960913 | ||
| + | | Invalid request | ||
| + | | | ||
| + | |- | ||
| + | | 970007 | ||
| + | | Zope Information Leakage | ||
| + | | | ||
| + | |- | ||
| + | | 970008 | ||
| + | | Cold Fusion Information Leakage | ||
| + | | | ||
| + | |- | ||
| + | | 970010 | ||
| + | | ISA server existence revealed | ||
| + | | | ||
| + | |- | ||
| + | | 970011 | ||
| + | | File or Directory Names Leakage | ||
| + | | | ||
| + | |- | ||
| + | | 970012 | ||
| + | | Microsoft Office document properties leakage | ||
| + | | | ||
| + | |- | ||
| + | | 970016 | ||
| + | | Cold Fusion source code leakage | ||
| + | | | ||
| + | |- | ||
| + | | 970018 | ||
| + | | IIS installed in default location | ||
| + | | | ||
| + | |- | ||
| + | | 970021 | ||
| + | | WebLogic information disclosure | ||
| + | | | ||
| + | |- | ||
| + | | 970903 | ||
| + | | ASP/JSP source code leakage | ||
| + | | | ||
| + | |- | ||
| + | | 973300 | ||
| + | | Possible XSS Attack Detected - HTML Tag Handler | ||
| + | | | ||
| + | |- | ||
| + | | 973301 | ||
| + | | XSS Attack Detected | ||
| + | | | ||
| + | |- | ||
| + | | 973302 | ||
| + | | XSS Attack Detected | ||
| + | | | ||
| + | |- | ||
| + | | 973303 | ||
| + | | XSS Attack Detected | ||
| + | | | ||
| + | |- | ||
| + | | 973304 | ||
| + | | XSS Attack Detected | ||
| + | | | ||
| + | |- | ||
| + | | 973305 | ||
| + | | XSS Attack Detected | ||
| + | | | ||
| + | |- | ||
| + | | 973306 | ||
| + | | XSS Attack Detected | ||
| + | | | ||
| + | |- | ||
| + | | 973307 | ||
| + | | XSS Attack Detected | ||
| + | | | ||
| + | |- | ||
| + | | 973308 | ||
| + | | XSS Attack Detected | ||
| + | | | ||
| + | |- | ||
| + | | 973309 | ||
| + | | XSS Attack Detected | ||
| + | | | ||
| + | |- | ||
| + | | 973310 | ||
| + | | XSS Attack Detected | ||
| + | | | ||
| + | |- | ||
| + | | 973311 | ||
| + | | XSS Attack Detected | ||
| + | | | ||
| + | |- | ||
| + | | 973312 | ||
| + | | XSS Attack Detected | ||
| + | | | ||
| + | |- | ||
| + | | 973313 | ||
| + | | XSS Attack Detected | ||
| + | | | ||
| + | |- | ||
| + | | 973314 | ||
| + | | XSS Attack Detected | ||
| + | | | ||
| + | |- | ||
| + | | 973316 | ||
| + | | IE XSS Filters - Attack Detected. | ||
| + | | | ||
| + | |- | ||
| + | | 973325 | ||
| + | | IE XSS Filters - Attack Detected. | ||
| + | | | ||
| + | |- | ||
| + | | 973327 | ||
| + | | IE XSS Filters - Attack Detected. | ||
| + | | | ||
| + | |- | ||
| + | | 973328 | ||
| + | | IE XSS Filters - Attack Detected. | ||
| + | | | ||
| + | |- | ||
| + | | 973329 | ||
| + | | IE XSS Filters - Attack Detected. | ||
| + | | | ||
| + | |- | ||
| + | | 973330 | ||
| + | | IE XSS Filters - Attack Detected. | ||
| + | | | ||
| + | |- | ||
| + | | 973331 | ||
| + | | IE XSS Filters - Attack Detected. | ||
| + | | | ||
| + | |- | ||
| + | | 973332 | ||
| + | | IE XSS Filters - Attack Detected. | ||
| + | | | ||
| + | |- | ||
| + | | 973333 | ||
| + | | IE XSS Filters - Attack Detected. | ||
| + | | | ||
| + | |- | ||
| + | | 973334 | ||
| + | | IE XSS Filters - Attack Detected. | ||
| + | | | ||
| + | |- | ||
| + | | 973335 | ||
| + | | IE XSS Filters - Attack Detected. | ||
| + | | | ||
| + | |- | ||
| + | | 973347 | ||
| + | | IE XSS Filters - Attack Detected. | ||
| + | | | ||
| + | |- | ||
| + | | 981000 | ||
| + | | Possibly malicious iframe tag in output | ||
| + | | | ||
| + | |- | ||
| + | | 981001 | ||
| + | | Possibly malicious iframe tag in output | ||
| + | | | ||
| + | |- | ||
| + | | 981003 | ||
| + | | Malicious iframe+javascript tag in output | ||
| + | | | ||
| + | |- | ||
| + | | 981004 | ||
| + | | Potential Obfuscated Javascript in Output - Excessive fromCharCode | ||
| + | | | ||
| + | |- | ||
| + | | 981005 | ||
| + | | Potential Obfuscated Javascript in Output - Eval+Unescape | ||
| + | | | ||
| + | |- | ||
| + | | 981006 | ||
| + | | Potential Obfuscated Javascript in Output - Unescape | ||
| + | | | ||
| + | |- | ||
| + | | 981007 | ||
| + | | Potential Obfuscated Javascript in Output - Heap Spray | ||
| + | | | ||
| + | |- | ||
| + | | 981018 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981022 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981133 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981134 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981136 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981172 | ||
| + | | Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded | ||
| + | | | ||
| + | |- | ||
| + | | 981173 | ||
| + | | Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded | ||
| + | | | ||
| + | |- | ||
| + | | 981177 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981178 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981231 | ||
| + | | SQL Comment Sequence Detected. | ||
| + | | | ||
| + | |- | ||
| + | | 981260 | ||
| + | | SQL Hex Encoding Identified | ||
| + | | | ||
| + | |- | ||
| + | | 981300 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981301 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981302 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981303 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981304 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981305 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981306 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981307 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981308 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981309 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981310 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981311 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981312 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981313 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981314 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981315 | ||
| + | | UNKNOWN | ||
| + | | | ||
| + | |- | ||
| + | | 981316 | ||
| + | | SQL SELECT Statement Anomaly Detection Alert | ||
| + | | | ||
| + | |- | ||
| + | | 981317 | ||
| + | | SQL SELECT Statement Anomaly Detection Alert | ||
| + | | | ||
| + | |- | ||
| + | | 990012 | ||
| + | | Rogue web site crawler | ||
| + | | | ||
|} | |} | ||
Revision as of 20:49, 26 January 2016
Abstract
This is a page about the development of a paranoia mode aka bringing back the rules that used to yield a high number of false positives. This little project is aimed at inclusion into the 3.0.0 release of the OWASP ModSecurity Core Rules, where some rules have been removed in order to reduce the number of false positives with vanilla installations.
FIXME: Detailed description
Back to the OWASP ModSecurity Core Rules Set.
Sub-Project Infos
- Status: active (January 2016)
- Schedule: Pull request in January 2016
- Who: Christian Folini (dune73), Noël Zindel (zino), Franziska Bühler (franziskabuehler), Manuel Leos (Spartan), FIXME
- Documentation: Here on the OWASP Wiki
- Discussion / Archive: [email protected] / archive: http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/
- Github Link: https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc1
- Final Pull Request: FIXME
Tasks
Open Tasks
Please define state as follows: new, assigned, waiting, closed. When a task it is closed, it is moved to the seperate closed tasks table below.
| Task | Who | Status |
| Assemble list of disappeared rules, which should be brought back | n.n. | new |
| Assemble list of 3.0.0-rc1 rules, which could be moved to the paranoia mode | Franziska | assigned |
| Assemble list of 3.0.0-rc1 rules, which could be accompanied with stricter siblings in paranoia mode (same idea of the rule, but harder limit etc.) |
Christian | assigned |
| Nail down final list of rules which should me move / recreated into the paranoia mode | group | new |
| Write new stricter siblings for existing rules | Noël | assigned |
| Sort out mechanics of the paranoia mode | n.n. | new |
| Define exact syntax of paranoia mode setup | Christian | waiting |
| Sort out name: Is "Paranoia Mode" really the right term? | Christian | waiting |
| Write pull request | n.n. | new |
| Submit pull request | n.n. | new |
| Draw flowchart | n.n. | new |
| Write documentation | n.n. | new |
Closed Tasks
| Task | Who | Status |
| Assemble list of rules, which triggered false positives in 2.2.X frequently | Christian | closed |
| Assemble list of 2.2.x rules, which have disappeared from 3.0.0-rc1 | Spartan | closed |
Rules
Paranoia Mode Candidates
The 3.0.0-rc1 has all rules renumbered. Existing numbering was fairly crazy and the new numbering follows the numbering scheme of the rules files (-> 9<2-digit-rulefile><3-digit-id>) A mapping table exists [IdNumbering.csv] We need to make sure, we do not mess things up, so let's add both IDs to the table, the old one and the new one.
Please set status as follows : candidate, cloning-candidate, unsure, dropped.
- 'cloning-candidates' are rules, that could be cloned into an even stricter variant with a stricter limit in a higher paranoia setting.
- If dropped, please provide reasoning in the remarks.
| RuleID 2.2.x | RuleID 3.0.0-rc1 | msg | Status | Remarks |
| 950001 | 942150 | SQL Injection Attack | candidate | Christian's 2.2.X experience: frequently false positives |
| 950109 | 920230 | Multiple URL Encoding Detected | candidate | Christian's 2.2.X experience: frequently false positives |
| 950901 | 942130 | SQL Injection Attack: SQL Tautology Detected. | candidate | Christian's 2.2.X experience: very frequently false positives |
| 950907 | 932100 | System Command Injection | candidate | Christian's 2.2.X experience: frequently false positives |
| 959070 | gone | SQL Injection Attack | candidate | Christian's 2.2.X experience: frequently false positives |
| 959071 | gone | SQL Injection Attack | candidate | Christian's 2.2.X experience: frequently false positives |
| 959072 | gone | SQL Injection Attack | candidate | Christian's 2.2.X experience: frequently false positives |
| 959073 | gone | SQL Injection Attack | candidate | Christian's 2.2.X experience: very frequently false positives |
| 960015 | 920300 | Request Missing an Accept Header | candidate | Christian's 2.2.X experience: very frequently false positives |
| 960017 | 920350 | Host header is a numeric IP address | candidate | Christian's 2.2.X experience: very frequently false positives |
| 960024 | gone | Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters | candidate | Christian's 2.2.X experience: very frequently false positives |
| 960035 | 920440 | URL file extension is restricted by policy | candidate | Christian's 2.2.X experience: frequently false positives |
| 973300 | gone | Possible XSS Attack Detected - HTML Tag Handler | candidate | Christian's 2.2.X experience: frequently false positives |
| 973332 | gone | IE XSS Filters - Attack Detected. | candidate | Christian's 2.2.X experience: frequently false positives |
| 973333 | gone | IE XSS Filters - Attack Detected. | candidate | Christian's 2.2.X experience: frequently false positives |
| 981172 | gone | Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded | candidate | Christian's 2.2.X experience: very frequently false positives |
| 981173 | gone | Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded | candidate | Christian's 2.2.X experience: very frequently false positives |
| 981231 | gone | SQL Comment Sequence Detected. | candidate | Christian's 2.2.X experience: very frequently false positives |
| 981240 | 942300 | Detects MySQL comments, conditions and ch(a)r injections | candidate | Christian's 2.2.X experience: frequently false positives |
| 981242 | 942330 | Detects classic SQL injection probings 1/2 | candidate | Christian's 2.2.X experience: frequently false positives |
| 981243 | 942370 | Detects classic SQL injection probings 2/2 | candidate | Christian's 2.2.X experience: very frequently false positives |
| 981244 | 942180 | Detects basic SQL authentication bypass attempts 1/3 | candidate | Christian's 2.2.X experience: frequently false positives |
| 981245 | 942260 | Detects basic SQL authentication bypass attempts 2/3 | candidate | Christian's 2.2.X experience: frequently false positives |
| 981246 | 942340 | Detects basic SQL authentication bypass attempts 3/3 | candidate | Christian's 2.2.X experience: frequently false positives |
| 981248 | 942210 | Detects chained SQL injection attempts 1/2 | candidate | Christian's 2.2.X experience: very frequently false positives |
| 981249 | 942310 | Detects chained SQL injection attempts 2/2 | candidate | Christian's 2.2.X experience: frequently false positives |
| 981257 | 942200 | Detects MySQL comment-/space-obfuscated injections and backtick termination | candidate | Christian's 2.2.X experience: frequently false positives |
| 981260 | gone | SQL Hex Encoding Identified | candidate | Christian's 2.2.X experience: very frequently false positives |
| 981319 | 942120 | SQL Injection Attack: SQL Operator Detected | candidate | Christian's 2.2.X experience: frequently false positives |
Rules from 2.2.X, missing in 3.0.0-rc1
It looks as if only the base_rules made it into 3.0.0. In fact there are a few rule ids know from the optional and experimental rule folders in 2.2.X, but it is more likely, these are new 3.0.0 rules reusing old rule ids as the rules (regexes and msg) do not match at all.
When trying to generate the list below, be aware that the rule ids have been renumbered between 3.0.0-dev and 3.0.0-rc1. IdNumbering.csv in your friend.
| 2.2.X rule id | msg | remarks |
| 950002 | System Command Access | |
| 950006 | System Command Injection | |
| 950007 | Blind SQL Injection Attack | |
| 950008 | Injection of Undocumented ColdFusion Tags | |
| 950010 | LDAP Injection Attack | |
| 950011 | SSI injection Attack | |
| 950018 | Universal PDF XSS URL Detected. | |
| 950019 | Email Injection Attack | |
| 950908 | SQL Injection Attack. | |
| 950921 | Backdoor access | |
| 950922 | Backdoor access | |
| 958000 | Cross-site Scripting (XSS) Attack | |
| 958001 | Cross-site Scripting (XSS) Attack | |
| 958002 | Cross-site Scripting (XSS) Attack | |
| 958003 | Cross-site Scripting (XSS) Attack | |
| 958004 | Cross-site Scripting (XSS) Attack | |
| 958005 | Cross-site Scripting (XSS) Attack | |
| 958006 | Cross-site Scripting (XSS) Attack | |
| 958007 | Cross-site Scripting (XSS) Attack | |
| 958008 | Cross-site Scripting (XSS) Attack | |
| 958009 | Cross-site Scripting (XSS) Attack | |
| 958010 | Cross-site Scripting (XSS) Attack | |
| 958011 | Cross-site Scripting (XSS) Attack | |
| 958012 | Cross-site Scripting (XSS) Attack | |
| 958013 | Cross-site Scripting (XSS) Attack | |
| 958016 | Cross-site Scripting (XSS) Attack | |
| 958017 | Cross-site Scripting (XSS) Attack | |
| 958018 | Cross-site Scripting (XSS) Attack | |
| 958019 | Cross-site Scripting (XSS) Attack | |
| 958020 | Cross-site Scripting (XSS) Attack | |
| 958022 | Cross-site Scripting (XSS) Attack | |
| 958023 | Cross-site Scripting (XSS) Attack | |
| 958024 | Cross-site Scripting (XSS) Attack | |
| 958025 | Cross-site Scripting (XSS) Attack | |
| 958026 | Cross-site Scripting (XSS) Attack | |
| 958027 | Cross-site Scripting (XSS) Attack | |
| 958028 | Cross-site Scripting (XSS) Attack | |
| 958030 | Cross-site Scripting (XSS) Attack | |
| 958031 | Cross-site Scripting (XSS) Attack | |
| 958032 | Cross-site Scripting (XSS) Attack | |
| 958033 | Cross-site Scripting (XSS) Attack | |
| 958034 | Cross-site Scripting (XSS) Attack | |
| 958036 | Cross-site Scripting (XSS) Attack | |
| 958037 | Cross-site Scripting (XSS) Attack | |
| 958038 | Cross-site Scripting (XSS) Attack | |
| 958039 | Cross-site Scripting (XSS) Attack | |
| 958040 | Cross-site Scripting (XSS) Attack | |
| 958041 | Cross-site Scripting (XSS) Attack | |
| 958045 | Cross-site Scripting (XSS) Attack | |
| 958046 | Cross-site Scripting (XSS) Attack | |
| 958047 | Cross-site Scripting (XSS) Attack | |
| 958049 | Cross-site Scripting (XSS) Attack | |
| 958051 | Cross-site Scripting (XSS) Attack | |
| 958052 | Cross-site Scripting (XSS) Attack | |
| 958054 | Cross-site Scripting (XSS) Attack | |
| 958056 | Cross-site Scripting (XSS) Attack | |
| 958057 | Cross-site Scripting (XSS) Attack | |
| 958059 | Cross-site Scripting (XSS) Attack | |
| 958291 | Range: field exists and begins with 0. | |
| 958404 | Cross-site Scripting (XSS) Attack | |
| 958405 | Cross-site Scripting (XSS) Attack | |
| 958406 | Cross-site Scripting (XSS) Attack | |
| 958407 | Cross-site Scripting (XSS) Attack | |
| 958408 | Cross-site Scripting (XSS) Attack | |
| 958409 | Cross-site Scripting (XSS) Attack | |
| 958410 | Cross-site Scripting (XSS) Attack | |
| 958411 | Cross-site Scripting (XSS) Attack | |
| 958412 | Cross-site Scripting (XSS) Attack | |
| 958413 | Cross-site Scripting (XSS) Attack | |
| 958414 | Cross-site Scripting (XSS) Attack | |
| 958415 | Cross-site Scripting (XSS) Attack | |
| 958416 | Cross-site Scripting (XSS) Attack | |
| 958417 | Cross-site Scripting (XSS) Attack | |
| 958418 | Cross-site Scripting (XSS) Attack | |
| 958419 | Cross-site Scripting (XSS) Attack | |
| 958420 | Cross-site Scripting (XSS) Attack | |
| 958421 | Cross-site Scripting (XSS) Attack | |
| 958422 | Cross-site Scripting (XSS) Attack | |
| 958423 | Cross-site Scripting (XSS) Attack | |
| 958976 | PHP Injection Attack | |
| 959070 | SQL Injection Attack | |
| 959071 | SQL Injection Attack | |
| 959072 | SQL Injection Attack | |
| 959073 | SQL Injection Attack | |
| 960014 | Proxy access attempt | |
| 960018 | Invalid character in request | |
| 960020 | Pragma Header requires Cache-Control Header for HTTP/1.1 requests. | |
| 960022 | UNKNOWN | |
| 960024 | Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters | |
| 960902 | UNKNOWN | |
| 960913 | Invalid request | |
| 970007 | Zope Information Leakage | |
| 970008 | Cold Fusion Information Leakage | |
| 970010 | ISA server existence revealed | |
| 970011 | File or Directory Names Leakage | |
| 970012 | Microsoft Office document properties leakage | |
| 970016 | Cold Fusion source code leakage | |
| 970018 | IIS installed in default location | |
| 970021 | WebLogic information disclosure | |
| 970903 | ASP/JSP source code leakage | |
| 973300 | Possible XSS Attack Detected - HTML Tag Handler | |
| 973301 | XSS Attack Detected | |
| 973302 | XSS Attack Detected | |
| 973303 | XSS Attack Detected | |
| 973304 | XSS Attack Detected | |
| 973305 | XSS Attack Detected | |
| 973306 | XSS Attack Detected | |
| 973307 | XSS Attack Detected | |
| 973308 | XSS Attack Detected | |
| 973309 | XSS Attack Detected | |
| 973310 | XSS Attack Detected | |
| 973311 | XSS Attack Detected | |
| 973312 | XSS Attack Detected | |
| 973313 | XSS Attack Detected | |
| 973314 | XSS Attack Detected | |
| 973316 | IE XSS Filters - Attack Detected. | |
| 973325 | IE XSS Filters - Attack Detected. | |
| 973327 | IE XSS Filters - Attack Detected. | |
| 973328 | IE XSS Filters - Attack Detected. | |
| 973329 | IE XSS Filters - Attack Detected. | |
| 973330 | IE XSS Filters - Attack Detected. | |
| 973331 | IE XSS Filters - Attack Detected. | |
| 973332 | IE XSS Filters - Attack Detected. | |
| 973333 | IE XSS Filters - Attack Detected. | |
| 973334 | IE XSS Filters - Attack Detected. | |
| 973335 | IE XSS Filters - Attack Detected. | |
| 973347 | IE XSS Filters - Attack Detected. | |
| 981000 | Possibly malicious iframe tag in output | |
| 981001 | Possibly malicious iframe tag in output | |
| 981003 | Malicious iframe+javascript tag in output | |
| 981004 | Potential Obfuscated Javascript in Output - Excessive fromCharCode | |
| 981005 | Potential Obfuscated Javascript in Output - Eval+Unescape | |
| 981006 | Potential Obfuscated Javascript in Output - Unescape | |
| 981007 | Potential Obfuscated Javascript in Output - Heap Spray | |
| 981018 | UNKNOWN | |
| 981022 | UNKNOWN | |
| 981133 | UNKNOWN | |
| 981134 | UNKNOWN | |
| 981136 | UNKNOWN | |
| 981172 | Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded | |
| 981173 | Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded | |
| 981177 | UNKNOWN | |
| 981178 | UNKNOWN | |
| 981231 | SQL Comment Sequence Detected. | |
| 981260 | SQL Hex Encoding Identified | |
| 981300 | UNKNOWN | |
| 981301 | UNKNOWN | |
| 981302 | UNKNOWN | |
| 981303 | UNKNOWN | |
| 981304 | UNKNOWN | |
| 981305 | UNKNOWN | |
| 981306 | UNKNOWN | |
| 981307 | UNKNOWN | |
| 981308 | UNKNOWN | |
| 981309 | UNKNOWN | |
| 981310 | UNKNOWN | |
| 981311 | UNKNOWN | |
| 981312 | UNKNOWN | |
| 981313 | UNKNOWN | |
| 981314 | UNKNOWN | |
| 981315 | UNKNOWN | |
| 981316 | SQL SELECT Statement Anomaly Detection Alert | |
| 981317 | SQL SELECT Statement Anomaly Detection Alert | |
| 990012 | Rogue web site crawler |
