Great. Thanks for the confirmation. I feared there was something wrong with ModSec as it is a rarely used feature and I only tried it out the first time when I covered SecRuleUpdateActionById for the 2nd edition of the handbook.
Ahoj, Christian On Thu, Jun 01, 2017 at 08:31:17AM +0000, Brian Bird wrote: > Thanks! I've just tried it again as per your example and it seems to work (so > I can only assume I had the rules in the wrong order when I first tried it). > > -----Original Message----- > From: Christian Folini [mailto:christian.fol...@netnea.com] > Sent: 01 June 2017 08:08 > To: Brian Bird <brian.b...@securetrading.com> > Cc: owasp-modsecurity-core-rule-set@lists.owasp.org > Subject: Re: [Owasp-modsecurity-core-rule-set] SecRuleUpdateActionById and > chained rules > > Brian, > > I think you are doing it wrong. It works like out of the box for me: > > Here is part of my config: > > Include crs-rules/*.conf > SecRuleUpdateActionById 920440:1 "setvar:tx.anomaly_score=+100" > > Then I made the following call, which triggers the rule 920440. > > $> curl localhost/index.asa > > And here is the debug log: > > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][5] Rule > 55c6732d66f0: SecRule "REQUEST_BASENAME" "@rx \\.(.*)$" > "phase:request,log,auditlog,chain,capture,t:none,t:urlDecodeUni,t:lowercase,block,msg:'URL > file extension is restricted by > policy',severity:CRITICAL,rev:2,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:9,id:920440,logdata:%{TX.0},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS/POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,setvar:tx.extension=.%{tx.1}/" > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] T (0) > urlDecodeUni: "index.asa" > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] T (0) > lowercase: "index.asa" > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][4] Transformation > completed in 4 usec. > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][4] Executing > operator "rx" with param "\\.(.*)$" against REQUEST_BASENAME. > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Target value: > "index.asa" > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Added regex > subexpression to TX.0: .asa > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Added regex > subexpression to TX.1: asa > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][4] Operator > completed in 7 usec. > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Setting > variable: tx.extension=.%{tx.1}/ > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Resolved macro > %{tx.1} to: asa > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Set variable > "tx.extension" to ".asa/". > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][4] Rule returned 1. > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Match -> mode > NEXT_RULE. > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][4] Recipe: > Invoking rule 55c6732de088; [file > "/home/dune73/data/git/crs-official/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > [line "1075"]. > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][5] Rule > 55c6732de088: SecRule "TX:EXTENSION" "@within %{tx.restricted_extensions}" > "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var},setvar:tx.anomaly_score=+100" > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][4] Transformation > completed in 0 usec. > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][4] Executing > operator "within" with param "%{tx.restricted_extensions}" against > TX:extension. > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Target value: > ".asa/" > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Resolved macro > %{tx.restricted_extensions} to: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ > .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ > .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ > .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ > .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][4] Operator > completed in 9 usec. > -- > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Resolved macro > %{rule.id} to: 920440 > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Resolved macro > %{matched_var_name} to: TX:extension > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Resolved macro > %{matched_var} to: .asa/ > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Set variable > "tx.920440-OWASP_CRS/POLICY/EXT_RESTRICTED-TX:extension" to ".asa/". > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Setting > variable: tx.anomaly_score=+100 > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Original > collection variable: tx.anomaly_score = "5" > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Relative > change: anomaly_score=5+100 > [01/Jun/2017:09:02:51 +0200] > [localhost/sid#55c6741331d8][rid#7fe120002970][/index.asa][9] Set variable > "tx.anomaly_score" to "105". > > > Maybe you have your Update statement before the rule include. Other than that > I do not know what's wrong. > > Cheers, > > Christian > > On Tue, May 30, 2017 at 09:45:26AM +0000, Brian Bird wrote: > > I'm deploying modsecurity 2.9.1 with the OWASP CRS 3.0.2 rules. > > > > I'd like to update a few rules to have different anomaly scores. This is > > quite easy for a normal rule: eg. > > SecRuleUpdateActionById 920350 "setvar:tx.anomaly_score=+100" > > > > However, for chained rules this type of update will only update the first > > rule in the chain. Eg. > > SecRuleUpdateActionById 920440 "setvar:tx.anomaly_score=+100,chain" > > > > Since the action is non-disruptive the score addition takes place whenever > > the first rule in the chain matches (as referenced > > http://blog.modsecurity.org/2008/07/modsecurity-tri.html). > > > > Has anything been done to allow SecRuleUpdateActionById to specify offsets > > (eg. as suggested at https://github.com/SpiderLabs/ModSecurity/issues/190)? > > > > I tried this: > > SecRuleUpdateActionById 920440:1 "setvar:tx.anomaly_score=+100,chain" > > and there is no error about the Rule Id not existing, but it doesn't seem > > like the update has taken place. I'm assuming this feature suggestion > > hasn't been implemented yet and the update action is ignored because there > > is no rule id "920440:1"? > > > > So my question is: Is it possible to change the anomaly score for a > > specified chained rule in the CRS without editing the CRS files directly? > > > > Thanks > > > > Brian > > > > > > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-s > > et > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > mailto:christian.fol...@netnea.com > twitter: @ChrFolini > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/training/modsecurity-training-course mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
