Beautiful Ryan, That worked perfectly for the individual var names. -=Steve
From: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>> Date: Friday, July 20, 2012 11:06 AM To: Stephen Canell <stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] SQL Keyword Anomaly Scoring From: "Canell, Stephen E (2240)" <stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>> Date: Fri, 20 Jul 2012 13:02:16 -0500 To: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>, "Canell, Stephen E (2240)" <stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] SQL Keyword Anomaly Scoring Ryan, So what you are saying is that the var names will trigger these rules. I'll give that a whirl! Thank you for the response. Yes, these rule work by first checking various TARGETS for possible SQLi keywords (ARGS_NAMES is one of the var collections checked)- SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pm select show top distinct from dual where group by order having limit offset union rownum as (case" "phase:2,id:'981300',t:none,t:urlDecodeUni,t:lowercase,nolog,pass,nolog,setvar:'tx.sqli_select_statement=%{tx.sqli_select_statement} %{matched_var}'" If there is a match, that data is appended to the TX.SQLI_SELECT_STATEMENT value which is then checked against the other individual rules and anomaly scores are then increases. The final rule in this group simply checks to see if there are 3 or more SQLi keyword matches within the TX value. -Ryan -=Steve From: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>> Date: Friday, July 20, 2012 10:48 AM To: Stephen Canell <stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] SQL Keyword Anomaly Scoring From: "Canell, Stephen E (2240)" <stephen.e.can...@jpl.nasa.gov<mailto:stephen.e.can...@jpl.nasa.gov>> Date: Fri, 20 Jul 2012 12:13:22 -0500 To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] SQL Keyword Anomaly Scoring # # SQL Keyword Anomaly Scoring: I am having issues fine tuning all SQL rules for a COTS product. This relates to the ID 981301 - 981316 with 981317. I get a 403 from 918317 related to the previous SecRules because of the keyword count trigger. Would the keyword in 301-316 be triggered by variables names having SQL keywords in the var name, such as: "search.selectedJobFamily.value" (981301 - select) Also, I have two variables where users can enter an entire resume, so most, if not all of the SQL keywords in the SQL rules 301-316 will get hit! I have seen the use SecRuleUpdateById in conjunction of !ARGS:<var> used, but 301-316 uses TX:SQLI….. How do I use the SecRuleUpdateById with TX vs ARGS, and or what is the best way to allow all words for these two variables and not set off the SQL triggers. Thank you Steve Steve, If you don't want these SQL keyword checks to search ARGS_NAMES collection at all, you can use this - SecRuleUpdateTargetsById 981300 "!ARGS_NAMES" Optionally, you can specify the individual ARGS_NAMES variables that are causing false positives - SecRuleUpdateTargetsById 981300 "!ARGS_NAMES:search.selectedJobFamily.value" -Ryan ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
