Re: [Owasp-modsecurity-core-rule-set] SQL Keyword Anomaly Scoring

[Ryan Barnett]

From: "Canell, Stephen E (2240)" 
<stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>
Date: Fri, 20 Jul 2012 13:02:16 -0500
To: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>, 
"Canell, Stephen E (2240)" 
<stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>, 
"owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>"
 
<owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>
Subject: Re: [Owasp-modsecurity-core-rule-set] SQL Keyword Anomaly Scoring

Ryan,
So what you are saying is that the var names will trigger these rules.

I'll give that a whirl!

Thank you for the response.

Yes, these rule work by first checking various TARGETS for possible SQLi 
keywords (ARGS_NAMES is one of the var collections checked)-

SecRule 
REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* 
"@pm select show top distinct from dual where group by order having limit 
offset union rownum as (case" 
"phase:2,id:'981300',t:none,t:urlDecodeUni,t:lowercase,nolog,pass,nolog,setvar:'tx.sqli_select_statement=%{tx.sqli_select_statement}
 %{matched_var}'"

If there is a match, that data is appended to the TX.SQLI_SELECT_STATEMENT 
value which is then checked against the other individual rules and anomaly 
scores are then increases.

The final rule in this group simply checks to see if there are 3 or more SQLi 
keyword matches within the TX value.

-Ryan



-=Steve
From: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>
Date: Friday, July 20, 2012 10:48 AM
To: Stephen Canell 
<stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>, 
"owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>"
 
<owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>
Subject: Re: [Owasp-modsecurity-core-rule-set] SQL Keyword Anomaly Scoring


From: "Canell, Stephen E (2240)" 
<stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>
Date: Fri, 20 Jul 2012 12:13:22 -0500
To: 
"owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>"
 
<owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>
Subject: [Owasp-modsecurity-core-rule-set] SQL Keyword Anomaly Scoring


#
# SQL Keyword Anomaly Scoring:

I am having issues fine tuning all SQL rules for a COTS product.  This relates 
to the ID 981301 - 981316 with 981317.
I get a 403 from 918317 related to the previous SecRules because of the keyword 
count trigger.
Would the keyword in 301-316 be triggered by variables names having SQL 
keywords in the var name, such as:
 "search.selectedJobFamily.value" (981301 - select)

Also,
 I have two variables where users can enter an entire resume, so most, if not 
all of the SQL keywords in the SQL rules 301-316 will get hit!

I have seen the use SecRuleUpdateById in conjunction of !ARGS:<var> used, but 
301-316 uses TX:SQLI….. How do I use the SecRuleUpdateById with TX vs ARGS, and 
or
what is the best way to allow all words for these two variables and not set off 
the SQL triggers.

Thank you
Steve

Steve,
If you don't want these SQL keyword checks to search ARGS_NAMES collection at 
all, you can use this -

SecRuleUpdateTargetsById 981300 "!ARGS_NAMES"

Optionally, you can specify the individual ARGS_NAMES variables that are 
causing false positives -

SecRuleUpdateTargetsById 981300 "!ARGS_NAMES:search.selectedJobFamily.value"

-Ryan

________________________________
This transmission may contain information that is privileged, confidential, 
and/or exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution, 
or use of the information contained herein (including any reliance thereon) is 
STRICTLY PROHIBITED. If you received this transmission in error, please 
immediately contact the sender and destroy the material in its entirety, 
whether in electronic or hard copy format.

________________________________
This transmission may contain information that is privileged, confidential, 
and/or exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution, 
or use of the information contained herein (including any reliance thereon) is 
STRICTLY PROHIBITED. If you received this transmission in error, please 
immediately contact the sender and destroy the material in its entirety, 
whether in electronic or hard copy format.

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set