Hi Ryan,
Adding "t:normalizeSQLi" for custom SQLi rules make perfect sense to me. I am also thinking if it makes sense to transform existing ModSecurity signatures to libinjection fingerprints as well. So that ModSecurity will work uniformly by calling libinjection using a single set of fingerprint merged from both sources for SQLi and also share same level of accuracy, as supposed to chaining the two together? However, it will be interesting to learn the coverage in libinjection fingerprint and Modsecurity signature, any thoughts on that? I am about to plan this work based upon your feedback. Thanks, RS. From: Ryan Barnett [mailto:rbarn...@trustwave.com] Sent: January-31-13 5:22 PM To: Rolling Stone; 'Ryan Barnett'; owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] LibInjection I agree with you that libinjection could be used potentially in all three of the scenarios you outlined. Our discussions so far have centered around adding it as a new operator such as - @detectSQLi and you would pass it a parameter which is the fingerprints.txt file - SecRule ARGS "@detectSQLi fingerprints.txt" The libinjection code would need to be updated to allow for passing the fingerprints.txt file data rather than to have it compiled in as it is today. This would allow for updating fingerprints without the need to recompile ModSecurity code. As to your first point - I see value there as well. The idea would be to add a new transformation function such as - t:normalizeSQLi and then add it to all SQLi signatures that you write. This transformation function would do the normalization/tokenization of the data. This would then allow you to write your signatures and rules in an easier manner as you wouldn't have to account for the myriad of permutations and combinations of evasion. Bottom line is that I see a lot of uses for this feature :) I would LOVE for someone to help. -RB From: Rolling Stone <jzy2...@hotmail.com> Date: Thursday, January 31, 2013 11:11 AM To: Ryan Barnett <ryan.barn...@owasp.org>, "owasp-modsecurity-core-rule-set@lists.owasp.org" <owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] LibInjection If my understanding correctly, there are possible 3 ways for libinjection to be useful: -Normalizing user input, to make CRS signature-based SQLi detection works better. -Streamlining signature-based SQLi detection and libinjection to improve SQLi detection rate. -Or, libinjection and fingerprint detection as replacement to signature-based SQLi. Which direction makes more sense if community support available? Thanks, -RS From: Ryan Barnett [mailto:ryan.barn...@owasp.org] Sent: January-30-13 11:23 AM To: Rolling Stone; owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] LibInjection No, not yet. Breno will get to it eventually, however this could be expedited if someone from the community wants to help. -Ryan From: Rolling Stone <jzy2...@hotmail.com> Date: Wednesday, January 30, 2013 11:20 AM To: <owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: [Owasp-modsecurity-core-rule-set] LibInjection CRS Roadmap has plan to include C Libinjection, any idea when will this integration be completed? Thanks, _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set <https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set> _____ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
