From: "Canell, Stephen E (2240)"
<stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>
Date: Fri, 20 Jul 2012 13:02:16 -0500
To: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>,
"Canell, Stephen E (2240)"
<stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>,
"owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>"
<owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>
Subject: Re: [Owasp-modsecurity-core-rule-set] SQL Keyword Anomaly Scoring
Ryan,
So what you are saying is that the var names will trigger these rules.
I'll give that a whirl!
Thank you for the response.
Yes, these rule work by first checking various TARGETS for possible SQLi
keywords (ARGS_NAMES is one of the var collections checked)-
SecRule
REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*
"@pm select show top distinct from dual where group by order having limit
offset union rownum as (case"
"phase:2,id:'981300',t:none,t:urlDecodeUni,t:lowercase,nolog,pass,nolog,setvar:'tx.sqli_select_statement=%{tx.sqli_select_statement}
%{matched_var}'"
If there is a match, that data is appended to the TX.SQLI_SELECT_STATEMENT
value which is then checked against the other individual rules and anomaly
scores are then increases.
The final rule in this group simply checks to see if there are 3 or more SQLi
keyword matches within the TX value.
-Ryan
-=Steve
From: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>
Date: Friday, July 20, 2012 10:48 AM
To: Stephen Canell
<stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>,
"owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>"
<owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>
Subject: Re: [Owasp-modsecurity-core-rule-set] SQL Keyword Anomaly Scoring
From: "Canell, Stephen E (2240)"
<stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>
Date: Fri, 20 Jul 2012 12:13:22 -0500
To:
"owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>"
<owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>
Subject: [Owasp-modsecurity-core-rule-set] SQL Keyword Anomaly Scoring
#
# SQL Keyword Anomaly Scoring:
I am having issues fine tuning all SQL rules for a COTS product. This relates
to the ID 981301 - 981316 with 981317.
I get a 403 from 918317 related to the previous SecRules because of the keyword
count trigger.
Would the keyword in 301-316 be triggered by variables names having SQL
keywords in the var name, such as:
"search.selectedJobFamily.value" (981301 - select)
Also,
I have two variables where users can enter an entire resume, so most, if not
all of the SQL keywords in the SQL rules 301-316 will get hit!
I have seen the use SecRuleUpdateById in conjunction of !ARGS:<var> used, but
301-316 uses TX:SQLI….. How do I use the SecRuleUpdateById with TX vs ARGS, and
or
what is the best way to allow all words for these two variables and not set off
the SQL triggers.
Thank you
Steve
Steve,
If you don't want these SQL keyword checks to search ARGS_NAMES collection at
all, you can use this -
SecRuleUpdateTargetsById 981300 "!ARGS_NAMES"
Optionally, you can specify the individual ARGS_NAMES variables that are
causing false positives -
SecRuleUpdateTargetsById 981300 "!ARGS_NAMES:search.selectedJobFamily.value"
-Ryan
________________________________
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
________________________________
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
