We are starting the process of reviewing/updating the CRS base_rules. As part of this process, I am sending out emails for community review of each rule. We need feedback on any possible updates to the following:
* Is the VARIABLE/TARGET list accurate? Should we add/remove any variables? * Is the OPERATOR accurate? Should we use a different operator? Can the operator value be improved for accuracy and performance? * Are there any recommended changes to the action listing? I have gone ahead and updated this rule with the following improvements: * Removed the "t:lowercase" tfns and added the pcre ignore case quantifier (?I: * Reordered the action listing to make it more readable * Added new ModSecurity v2.7 ver, maturity and accuracy actions. If you feel that any of these should be updated let me know. Your feedback is critical for the accuracy label. If you run into false positives, you must let us know so we can look to improve the rule or label its accuracy value accordingly. * Updated both tag and setvar data. # # Validate request line against the format specified in the HTTP RFC # # -=[ Rule Logic ]=- # # Uses rule negation against the regex for positive security. The regex specifies the proper # construction of URI request lines such as: # # "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] # # It also outlines proper construction for CONNECT, OPTIONS and GET requests. # # -=[ References ]=- # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 # http://capec.mitre.org/data/definitions/272.html # SecRule REQUEST_LINE "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[ \w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ "msg:'Invalid HTTP Request Line', \ severity:'4', \ id:'960911', \ ver:'OWASP_CRS/2.2.6', \ rev:'2', \ maturity:'9', \ accuracy:'9', \ logdata:'%{request_line}', \ phase:1, \ block, \ t:none, \ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \ tag:'CAPEC-272' \ setvar:'tx.msg=%{rule.msg}', \ setvar:tx.anomaly_score=+%{tx.notice_anomaly_score}, \ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
