I would like to update the logic of the this ruleset -
http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/optional_rules/modsecurity_crs_10_ignore_static.conf
The concept is that rather than audit log all transactions (with SecAuditLog
On), you want to exclude logging requests for static resources. The trick is
that we need to try and ensure that the attack surface is significantly
reduced. In order to do that, I am testing this updated ruleset -
SecRule REQUEST_METHOD "@pm GET HEAD"
"id:'999001',chain,phase:1,t:none,nolog,pass"
SecRule REQUEST_URI "!@contains ?" "chain"
SecRule &ARGS "@eq 0" "chain"
SecRule
&REQUEST_HEADERS:Content-Length|&REQUEST_HEADERS:Content-Type "@eq 0"
"ctl:ruleEngine=Off,ctl:auditEngine=Off"
This rule checks the following -
1. That the request method is either a GET or HEAD. If it is anything else,
they it should probably be logged as it is a dynamic request method looking to
alter data.
2. Verifies that there is no query string by checking for ? Char in the URI.
3. Verifies that there are no ARGS being passed
4. Verifies that there is no request body by checking for the existence of
Content-Length and Content-Type request headers.
If all of these rules match, then the ctl actions are used to toggle off both
the audit and rule engines.
Does anyone have any feedback on this updated ruleset? Any improvements?
Thanks.
--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader
________________________________
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
