Ryan,
it will be more clear to check these diferent aspects of the rule, action,
tags, variables, etc. Sounds good to me, this way you are swapping the very
long lines by a long file... More humam readable :)
Klaubert
On Tue, Mar 13, 2012 at 4:49 PM, Ryan Barnett <rbarn...@trustwave.com>wrote:
> I am working on updating the current CRS SecRule formatting. The idea is
> to make the rules easier to read and understand what is happening, for
> example to quickly understand the ACTION line data.
>
> The format is updated to:
>
> 1) Separate the VARIABLE OPERATOR and ACTION sections from each other by
> using the Apache \ line continuation character.
> 2) The 1st ACTION line starts with the rule ID. This makes it easier to
> find rules of interest.
> 3) The end of the 1st ACTION line lists any disruptive actions.
> 4) Transformation functions have their own line
> 5) Tags have their own line
> 6) Meta-actions (such as setvars) have their own line
> 7) Also including example attack payloads that are detected by the
> OPERATOR to help understand what the regex is looking form
>
> Please review/comment on the updated format below. I would like to start
> updating the CRS rules to use this format for the 3.0 version.
>
> Thanks.
>
>
> --
> Ryan Barnett
> Trustwave SpiderLabsModSecurity Project Leader
> OWASP ModSecurity CRS Project Leader
>
>
>
> #####################################
> #
> # Example Payloads Detected:
> # -------------------------
> # ' or 1=1#
> # ') or ('1'='1--
> # 1 OR \'1\'!=0
> # aaa\' or (1)=(1) #!asd
> # aaa\' OR (1) IS NOT NULL #!asd
> # ' =+ '
> # asd' =- (-'asd') -- -a
> # aa" =+ - "0
> # asd"or-1="-1
> # asd"or!1="!1
> # asd"or!(1)="1
> # asd" or ascii(1)="49
> # asd' or md5(5)^'1
> # \"asd" or 1="1
> # ' or id= 1 having 1 #1 !
> # ' or id= 2-1 having 1 #1 !
> # aa'or BINARY 1= '1
> # aa'like-'aa
> # -------------------------
> #
>
> SecRule
> REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:
> /* \
> \
> "(?i)(?i:\d[\"'`´¹Œ]\s+[\"'`´¹Œ]\s+\d)|(?:^admin\s*?[\"'`´¹Œ]|(\/\*)+[\"'`
> ´¹Œ]+\s?(?:--|#|\/\*|{)?)|(?:[\"'`´¹Œ]\s*?(x?or|div|like|between|and)[\w\s-
> ]+\s*?[+<>=(),-]\s*?[\d\"'`´¹Œ])|(?:[\"'`´¹Œ]\s*?[^\w\s]?=\s*?[\"'`´¹Œ])|(?
> :[\"'`´¹Œ]\W*?[+=]+\W*?[\"'`´¹Œ])|(?:[\"'`´¹Œ]\s*?[!=|][\d\s!=+-]+.*?[\"'`
> ´¹Œ(].*?$)|(?:[\"'`´¹Œ]\s*?[!=|][\d\s!=]+.*?\d+$)|(?:[\"'`´¹Œ]\s*?like\W+[\
> w\"'`´¹Œ(])|(?:\sis\s*?0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:[\"'`´¹Œ][<>~]+[\"
> '`´¹Œ])" \
> \
> "id:'981244',msg:'Detects basic SQL authentication bypass attempts
> 1/3',logdata:'%{TX.0}',severity:'2',phase:2,capture,block, \
> t:none,t:urlDecodeUni, \
> tag:'WEB_ATTACK/SQLI', \
> setvar:'tx.msg=%{rule.id}-%{rule.msg}', \
> setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}' \
> setvar:tx.sql_injection_score=+1, \
> setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}"
>
>
>
>
>
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
