Hi Ray, In addition to your fix I needed to update TX.SQLI_SCORE in modsecurity_crs_60_correlation.conf too. Now everything works fine.
Thank you very much. -Paul -----Ursprüngliche Nachricht----- Von: Ryan Barnett [mailto:[email protected]] Gesendet: Montag, 1. November 2010 18:21 An: Paul Rosenbusch; [email protected] Betreff: Re: [Owasp-modsecurity-core-rule-set] SQL Rules - SQLi Score isn't set properly On 11/1/10 1:09 PM, "Paul Rosenbusch" <[email protected]> wrote: > Hi, > > when I simulate SQL-Injection Attacks while using the > owasp-modsecurity-core-rule-set, the SQLi Score shows up empty in my > audit logfile. The inbound anomaly score is exceeded and the attack is > classified as "SQL Injection Attack", but there seems to be a bug with the > SQLi Score. > > I use modsecurity-crs_2.0.8 and checked the > modsecurity_crs_41_sql_injection_attacks.conf - > setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score} seems to > be called properly on every entry. > > Does anybody have a clue why this happens? > > Thanks for your Help > Hey Paul. I am assuming that you are referring to the TX SQLI macro expansions in the modsecurity_crs_49_inbound_blocking.conf file ( SQLi=%{TX.SQLI_SCORE})? If so, then yes, I see the problem. The rules were actually updated to use this TX collection name instead - setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}. So, you can update the TX data in the 49 file to properly reference it - # Alert and Block based on Anomaly Scores # SecRule TX:ANOMALY_SCORE "@gt 0" \ "chain,phase:2,t:none,nolog,auditlog,block,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_scor e=%{tx.anomaly_score}" SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}" # Alert and Block on a specific attack category such as SQL Injection # #SecRule TX:SQL_INJECTION_SCORE "@gt 0" \ # "phase:2,t:none,log,block,msg:'SQL Injection Detected (score %{TX.SQL_INJECTION_SCORE}): %{tx.msg}'" I will update the CRS as well and it will be fixed in V2.0.9 -Ryan > PR > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-s > et > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
