On a somewhat related note - some of you may have seen this email today - https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2011-May/ 000760.html
I have started some work on updating the CRS rules regression testing suite scripts. As part of the testing suite, you have to create actual template HTTP requests that the script uses to craft actual requests that it will send to a ModSec install. As part of this process, we will need to go through each and every rule and develop an actual testing case for it. This will actually help with regards to the Rule ID documentation pages (https://www.owasp.org/index.php/ModSecurity_CRS_Rule_Description_Template) as we will be able to then provide the "Example Payload" and "Example Audit Log Entry" data taken from the regression tests. I will send a note to the mail-list when I have released the rules regression testing suite. My plan is to get this out sooner rather than later. It may not be totally updated with tests for all CRS rules, but I want to get the framework out for testing by the community and hopefully some people will help to actually create some tests :) -=Ryan On 5/5/11 9:05 AM, "Ryan Barnett" <[email protected]> wrote: >Yep - I was hoping that some folks from the community would help with the >documentation but that hasn't materialized... If anyone wants to help >with Documentation please ping me so we can coordinate. > >Besides the OWASP Rule Document pages, I did start updating the comments >preceding each rule in the rules files. I only finished two files so far >- > >modsecurity_crs_20_protocol_violations.conf >modsecurity_crs_21_protocol_anomalies.conf > >Each rule has Rules Logic and Reference sections to help provide >information as to the rule's purpose. > ># ># -=[ Rule Logic ]=- ># Uses rule negation against the regex for positive security. The regex >specifies the proper ># construction of URI request lines such as: ># ># "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] ># ># It also outlines proper construction for CONNECT, OPTIONS and GET >requests. ># ># -=[ References ]=- ># http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 ># >SecRule REQUEST_LINE >"!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\ >s >]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options >\*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ > "t:none,t:lowercase,phase:1,rev:'2.1.3',block,msg:'Invalid HTTP >Request >Line',id:'960911',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rf >c >2616-sec3.html#sec3.2.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_sco >r >e=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.not >i >ce_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{m >a >tched_var_name}=%{matched_var}'" > >Again - if anyone wants to help with documentation improvements, we are >certainly looking for help. > > >-Ryan > > > > > >On 5/5/11 4:57 AM, "Josh Amishav-Zlatin" <[email protected]> wrote: > >>2011/5/5 张章斌(研六 福州) <[email protected]>: >>> Hello! >>> >>> >>> >>> Many rule in the core-rule-set are complicated and I can’t >>>understant >>> it. >>> >>> Does anyone know where to find the description of each rule? >> >>There was a push to start documenting the CRS rules a while back, >>though it doesn't look like that much was completed: >> >>https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_ >>P >>roject#tab=Documentation >> >>To get a good understand of the ModSecurity rules language, I highly >>recommend getting a copy the ModSecurity Handbook. >> >>-- >> - Josh >>_______________________________________________ >>Owasp-modsecurity-core-rule-set mailing list >>[email protected] >>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
