[Owasp-modsecurity-core-rule-set] A suggestion for modsecurity crs

Tue, 23 Oct 2012 02:52:11 -0700 






hi, after i installed mod_sec with crs, i found a false positive which is 
triggered by  the section "SQL Tautologies" in 
modsecurity_crs_41_sql_injection_attacks.conf.  i think this rule is aim at 
finding some probe action like ?para=-1 and 1=1 or ?para=-1' and '1'='1 
  but it  most often was triggered when meet a url/cookie like a=action because 
of a matching of a=a.  
 i think this regular expression below can be more accurate (based on 
SpiderLabs-owasp-modsecurity-crs-v2.2.5-0-g28e4ec8.tar.gz),just replacing 
([\d\w]+) by (\d+|'\w+') and (\d+|'\w+):
 $ diff -Nur base_rules/modsecurity_crs_41_sql_injection_attacks.conf.bak 
base_rules/modsecurity_crs_41_sql_injection_attacks.conf--- 
base_rules/modsecurity_crs_41_sql_injection_attacks.conf.bak      2012-10-23 
17:25:57.417231153 +0800+++ 
base_rules/modsecurity_crs_41_sql_injection_attacks.conf 2012-10-23 
17:26:14.820567687 +0800@@ -73,7 +73,7 @@ # # -=[ SQL Tautologies ]=- #-SecRule 
REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* 
"(?i:([\s'\"`´’‘\(\)]*)?([\d\w]+)([\s'\"`´’‘\(\)]*)?(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*)?\2|([\s'\"`´’‘\(\)]*)?([\d\w]+)([\s'\"`´’‘\(\)]*)?(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*)?(?!\6)([\d\w]+))"
 \+SecRule 
REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* 
"(?i:([\s'\"`´’‘\(\)]*)?(\d+|'\w+')([\s'\"`´’‘\(\)]*)?(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*)?\2|([\s'\"`´’‘\(\)]*)?(\d+|'\w+')([\s'\"`´’‘\(\)]*)?(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*)?(?!\6)(\d+|'\w+))"
 \         
"phase:2,rev:'2.2.5',capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL
 Injection 
Attack',id:'950901',logdata:'%{TX.0}',severity:'2',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
Is this more accurate?  And thanks for the great work !


Regards,
tm3y


                                          
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set














    











					Reply via email to