[Owasp-modsecurity-core-rule-set] CRS-2.2.9 - Duplicates found for rules 2011257 and 2011258

Mon, 12 May 2014 02:25:31 -0700 

Under CRS-2.2.9, under the "slr_rules" directory, each of these 2
files have the above 2 rules but with different subsequent chains in 2
different files.

Filename: modsecurity_crs_46_slr_et_wordpress_attacks.conf

# (2011257) SpiderLabs Research (SLR) Public Vulns: ET
WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Sc\
ripting Attempt
SecRule REQUEST_LINE "@contains
/wp-content/plugins/firestats/php/window-add-excluded-url.php"
"chain,phase:2,block,t:none,t\
:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR:
ET WEB\
_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site
Scripting Attempt',tag:'web-application-attack'"

SecRule ARGS:edit
"(?i:edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblcl\
ick|onsubmit|onreset|onselect|onchange|style\x3D))"
"ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats
wind\
ow-add-excluded-url.php Cross Site Scripting
Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rul\
e.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'"

Filename: modsecurity_crs_46_slr_et_xss_attacks.conf

# (2011257) SpiderLabs Research (SLR) Public Vulns: ET
WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Sc\
ripting Attempt
SecRule REQUEST_LINE "@contains
/wp-content/plugins/firestats/php/window-add-excluded-url.php"
"chain,phase:2,block,t:none,t\
:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR:
ET WEB\
_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site
Scripting Attempt',tag:'web-application-attack'"

SecRule &TX:'/XSS.*ARGS:edit/' "@gt 0"
"ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats
window-add-exclud\
ed-url.php Cross Site Scripting
Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATT\
ACK/XSS-%{matched_var_name}=%{matched_var}'"

-----

Similarly for rule with id: 2011258.

Is this behaviour intentional, or do we have a id numbering bug?

-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to