Ryan, This looks great! I'm a big fan of human readable code, and this will be important as users need to analyze false positives. I like it.
Just curious, could this have any impact on performance? Best, Matt Thomas Founder betweenbrain <http://betweenbrain.com/>™ Lead Developer Construct Template Development Framework<http://construct-framework.com/> Phone: 203.632.9322 Twitter: @betweenbrain Github: https://github.com/betweenbrain On Tue, Mar 13, 2012 at 3:49 PM, Ryan Barnett <rbarn...@trustwave.com>wrote: > I am working on updating the current CRS SecRule formatting. The idea is > to make the rules easier to read and understand what is happening, for > example to quickly understand the ACTION line data. > > The format is updated to: > > 1) Separate the VARIABLE OPERATOR and ACTION sections from each other by > using the Apache \ line continuation character. > 2) The 1st ACTION line starts with the rule ID. This makes it easier to > find rules of interest. > 3) The end of the 1st ACTION line lists any disruptive actions. > 4) Transformation functions have their own line > 5) Tags have their own line > 6) Meta-actions (such as setvars) have their own line > 7) Also including example attack payloads that are detected by the > OPERATOR to help understand what the regex is looking form > > Please review/comment on the updated format below. I would like to start > updating the CRS rules to use this format for the 3.0 version. > > Thanks. > > > -- > Ryan Barnett > Trustwave SpiderLabsModSecurity Project Leader > OWASP ModSecurity CRS Project Leader > > > > ##################################### > # > # Example Payloads Detected: > # ------------------------- > # ' or 1=1# > # ') or ('1'='1-- > # 1 OR \'1\'!=0 > # aaa\' or (1)=(1) #!asd > # aaa\' OR (1) IS NOT NULL #!asd > # ' =+ ' > # asd' =- (-'asd') -- -a > # aa" =+ - "0 > # asd"or-1="-1 > # asd"or!1="!1 > # asd"or!(1)="1 > # asd" or ascii(1)="49 > # asd' or md5(5)^'1 > # \"asd" or 1="1 > # ' or id= 1 having 1 #1 ! > # ' or id= 2-1 having 1 #1 ! > # aa'or BINARY 1= '1 > # aa'like-'aa > # ------------------------- > # > > SecRule > REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML: > /* \ > \ > "(?i)(?i:\d[\"'`´¹Œ]\s+[\"'`´¹Œ]\s+\d)|(?:^admin\s*?[\"'`´¹Œ]|(\/\*)+[\"'` > ´¹Œ]+\s?(?:--|#|\/\*|{)?)|(?:[\"'`´¹Œ]\s*?(x?or|div|like|between|and)[\w\s- > ]+\s*?[+<>=(),-]\s*?[\d\"'`´¹Œ])|(?:[\"'`´¹Œ]\s*?[^\w\s]?=\s*?[\"'`´¹Œ])|(? > :[\"'`´¹Œ]\W*?[+=]+\W*?[\"'`´¹Œ])|(?:[\"'`´¹Œ]\s*?[!=|][\d\s!=+-]+.*?[\"'` > ´¹Œ(].*?$)|(?:[\"'`´¹Œ]\s*?[!=|][\d\s!=]+.*?\d+$)|(?:[\"'`´¹Œ]\s*?like\W+[\ > w\"'`´¹Œ(])|(?:\sis\s*?0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:[\"'`´¹Œ][<>~]+[\" > '`´¹Œ])" \ > \ > "id:'981244',msg:'Detects basic SQL authentication bypass attempts > 1/3',logdata:'%{TX.0}',severity:'2',phase:2,capture,block, \ > t:none,t:urlDecodeUni, \ > tag:'WEB_ATTACK/SQLI', \ > setvar:'tx.msg=%{rule.id}-%{rule.msg}', \ > setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}' \ > setvar:tx.sql_injection_score=+1, \ > setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}" > > > > > > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is STRICTLY PROHIBITED. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
