I actually like both ideas. I think having the @detectSQLi operator with the path the fingerprints.txt file is a good approach as it would allow the rule itself to stay the same but the fingerprints.txt file can simply be update as new payloads are captured.
As for adding a new t:normalizeSQLi transformation function, I think it could have value, however we would need to revalidate/update all of the other SQLi rules to account for the normalizing that libinjection would do. I am not saying that this is a bad thing, just needed. I think adding libinjection code in any capacity would be a great step forward. -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader From: Rolling Stone <jzy2...@hotmail.com<mailto:jzy2...@hotmail.com>> Date: Wednesday, February 13, 2013 12:08 PM To: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>, Ryan Barnett <ryan.barn...@owasp.org<mailto:ryan.barn...@owasp.org>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: RE: [Owasp-modsecurity-core-rule-set] LibInjection Hi Ryan, Adding “t:normalizeSQLi” for custom SQLi rules make perfect sense to me. I am also thinking if it makes sense to transform existing ModSecurity signatures to libinjection fingerprints as well. So that ModSecurity will work uniformly by calling libinjection using a single set of fingerprint merged from both sources for SQLi and also share same level of accuracy, as supposed to chaining the two together? However, it will be interesting to learn the coverage in libinjection fingerprint and Modsecurity signature, any thoughts on that? I am about to plan this work based upon your feedback. Thanks, RS. From: Ryan Barnett [mailto:rbarn...@trustwave.com] Sent: January-31-13 5:22 PM To: Rolling Stone; 'Ryan Barnett'; owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] LibInjection I agree with you that libinjection could be used potentially in all three of the scenarios you outlined. Our discussions so far have centered around adding it as a new operator such as - @detectSQLi and you would pass it a parameter which is the fingerprints.txt file - SecRule ARGS "@detectSQLi fingerprints.txt" The libinjection code would need to be updated to allow for passing the fingerprints.txt file data rather than to have it compiled in as it is today. This would allow for updating fingerprints without the need to recompile ModSecurity code. As to your first point – I see value there as well. The idea would be to add a new transformation function such as – t:normalizeSQLi and then add it to all SQLi signatures that you write. This transformation function would do the normalization/tokenization of the data. This would then allow you to write your signatures and rules in an easier manner as you wouldn't have to account for the myriad of permutations and combinations of evasion. Bottom line is that I see a lot of uses for this feature :) I would LOVE for someone to help. -RB From: Rolling Stone <jzy2...@hotmail.com<mailto:jzy2...@hotmail.com>> Date: Thursday, January 31, 2013 11:11 AM To: Ryan Barnett <ryan.barn...@owasp.org<mailto:ryan.barn...@owasp.org>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] LibInjection If my understanding correctly, there are possible 3 ways for libinjection to be useful: -Normalizing user input, to make CRS signature-based SQLi detection works better. -Streamlining signature-based SQLi detection and libinjection to improve SQLi detection rate. -Or, libinjection and fingerprint detection as replacement to signature-based SQLi. Which direction makes more sense if community support available? Thanks, -RS From: Ryan Barnett [mailto:ryan.barn...@owasp.org] Sent: January-30-13 11:23 AM To: Rolling Stone; owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] LibInjection No, not yet. Breno will get to it eventually, however this could be expedited if someone from the community wants to help. -Ryan From: Rolling Stone <jzy2...@hotmail.com<mailto:jzy2...@hotmail.com>> Date: Wednesday, January 30, 2013 11:20 AM To: <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] LibInjection CRS Roadmap has plan to include C Libinjection, any idea when will this integration be completed? Thanks, _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
