On 2/13/12 4:56 PM, "Christian Bockermann" <ch...@jwall.org> wrote:
> > (2) Modularity & Documentation > > The current rules have a modular structure, but to most people it is >not clear how > to exactly adjust rules. Though I do like the blog-posts we have >about tweaking the > rules, we need to have some central, clean and well-structured >documentation. This > needs to be maintainable and easy to understand. Agreed. I think I responded to this on the other email thread. > > I'd propose to use a simply style (e.g. markdown) to document the >rules inline and > additionally provide tools to automatically generate docs from that. > > The idea of the rule-doc template is nice, but we need a nice and >*clean* looking > central page for that (the current homepage at owasp looks terrible >confusing). Yeah, OWASP recently updated the wiki templates and it blew away the presentation and tabbed formatting so it is all messed up now. > > For example, if I'm hit by rule-ID 960012 - it would be perfect to >go to > > http://www.modsecurity.org/crs/rule/960012 > > and immediately have an explanation of that rule. I tried this approach. I setup a rules documentation template here which is modeled after the Snort sig documentation pages - https://www.owasp.org/index.php/ModSecurity_CRS_Rule_Description_Template An example page is here - https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911 The big challenge to this approach is the up-front work involved. We have thousands of rules... I am hesitant to do the up front work at this current time as our plans of re-architecting the CRS might impact the # of rules we need to maintain (which I would like to reduce by the way). > > I'd be happy to directly create a link to such a URL into the >AuditConsole. A similar > thing could be done for rule-tags. > For example, the AuditConsole provides a "goto" link based on >hashtags, e.g. if an > event is tagged as "#sql-injection", then one can define a target >such as > > http://my.internal.wiki.org/security/sql-injection We already have some of those URL types of TAGS in the CRS, for example - SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s ]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ "phase:1,t:none,t:lowercase,block,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',rev:'2.2.3',logdata:'%{request_line}',tag:'h ttps://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http:/ /www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',tag:'RULE_MATURIT Y/8',tag:'RULE_ACCURACY/8',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule .id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protoco l_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCO L_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" The "tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}'" data will be macro expanded at run time to include the current rule id in the url. -Ryan This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
