Yep - I was hoping that some folks from the community would help with the documentation but that hasn't materialized... If anyone wants to help with Documentation please ping me so we can coordinate.
Besides the OWASP Rule Document pages, I did start updating the comments preceding each rule in the rules files. I only finished two files so far - modsecurity_crs_20_protocol_violations.conf modsecurity_crs_21_protocol_anomalies.conf Each rule has Rules Logic and Reference sections to help provide information as to the rule's purpose. # # -=[ Rule Logic ]=- # Uses rule negation against the regex for positive security. The regex specifies the proper # construction of URI request lines such as: # # "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] # # It also outlines proper construction for CONNECT, OPTIONS and GET requests. # # -=[ References ]=- # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 # SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s ]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ "t:none,t:lowercase,phase:1,rev:'2.1.3',block,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc 2616-sec3.html#sec3.2.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_scor e=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.noti ce_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{ma tched_var_name}=%{matched_var}'" Again - if anyone wants to help with documentation improvements, we are certainly looking for help. -Ryan On 5/5/11 4:57 AM, "Josh Amishav-Zlatin" <[email protected]> wrote: >2011/5/5 张章斌(研六 福州) <[email protected]>: >> Hello! >> >> >> >> Many rule in the core-rule-set are complicated and I can’t >>understant >> it. >> >> Does anyone know where to find the description of each rule? > >There was a push to start documenting the CRS rules a while back, >though it doesn't look like that much was completed: > >https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_P >roject#tab=Documentation > >To get a good understand of the ModSecurity rules language, I highly >recommend getting a copy the ModSecurity Handbook. > >-- > - Josh >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >[email protected] >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
